Security recommendations for production environment
There are considerations for security that you need to implement for your GAS installation in a production environment, such as what directories users can access.
Use the following list to ensure that your Genero application server is properly secured for users who interact with the GAS, and that users who run Genero applications on the GAS have the right level of access.
-
Limit user access to the machine where the GAS is running.
-
Ensure that the GAS installation directory ($FGLASDIR) and application data (appdata) directory are protected. You should, at a minimum, restrict global access to these directories to their owner.Note: For example, if the user allowed to start the dispatcher is the directory owner, the permission should initially appear as
"drwx------"
in directory listings in UNIX/Linux like systems.You will then have to grant additional access to directories based on which administrative tasks a user needs to perform. For example, a user allowed to start the dispatcher (fastcgidispatch or isapidispatch) must have read, write, and execute access to specific directories within $FGLASDIR.
To have different users with different access rights, use groups to organize your users and grant rights for the groups on the required directories. For example, create a group that can launch the dispatcher and permission that group accordingly, create a group for users who deploy applications and permission the group accordingly, and so on. For more details on setting permissions on directories, see Administrative groups permissioning.
-
In the GAS configuration file (as.xcf), set the
LOG
element toERROR
andACCESS
only. The GAS logs may include sensitive or personal user data gathered during the normal course of running applications; access to these logs must be managed and protected. - Restrict access to the Genero demo applications bundled with the Genero BDL
installation. These demos should not be available to users. Note: By default, access to the demos applications is allowed only to localhost (127.0.0.1). If you want to enable it for other client machines / IP addresses, you must define access in the
ACCESS_CONTROL
element.
Administrative groups permissioning
The GAS has several types of administrators, and each type of administrator will require access to different directories within $FGLASDIR. Four Js recommends that you create groups to represent each type of administrator, allowing you to manage access permissions at the group level.
drwxrw----
" in directory listings in UNIX/Linux-like systems. See your operating system documentation for information
on working with groups and managing file permissions.These are the administrative types for the GAS; therefore, these also represent the groups you should create.
- Users allowed to start the dispatcher (fastcgidispatcher or iisdispatcher)
- Grant read, write, and execute permissions to the group for the directories:
- $FGLASDIR/bin
- $FGLASDIR/lib
- Users allowed to administer the dispatcher
-
Grant read and write permissions to the group for the directories:
- $(res.appdata.path)/log
- $(res.appdata.path)/session
- $(res.appdata.path)/tmp
- Users allowed to deploy Genero applications or services
-
Grant read and write permissions to the group for the directories:
$(res.path.app)
; set to $(res.appdata.path)/app by default.$(res.path.services)
; set to $(res.appdata.path)/services) by default.$(res.deployment.root)
; set to $(res.appdata.path)/deployment by default.
- Users allowed to deploy Genero Browser Clients
-
Grant read and write permissions to the group for the directory:
- $(res.gbc.deployment); set to $(res.appdata.path)/gbc_deployment by default.
For information on configuring deployment resources in the GAS configuration file (as.xcf), see Configure deployment directories.