cancel
Showing results for 
Search instead for 
Did you mean: 

CGI Platform Announcement

Marteknet
Grafter
Posts: 577
Registered: 13-10-2007

CGI Platform Announcement

Quote
It's clear from F9's comments on all of this, especially several from Ben, that they consider themselves nothing more than an ISP. Servers and customers' sites appear to be nothing more than unsupported toys.


Yes I totally agree with you and to add insult to injury they still have blazoned right across there portal opening page " Complete Business solutions to match your budget.

Now that's just plain misleading its not complete if it's unreliable and not to a business standard. As for people who say you get what you pay for. My answer is that force9 are saying that they will supply a business account for the budget people have and even if that's very little compared with other hosting company's they should still supply a professional service as that's what they are advertising, remember it's force9 who set the price and define the features of their packages, they should live up to their claims.
26 REPLIES
Plusnet Staff
Plusnet Staff
Posts: 12,169
Thanks: 18
Fixes: 1
Registered: 04-04-2007

CGI Platform Announcement

As we have previously announced, we have for some time been looking at the security and stability of our CGI platform, an advanced server offering customers access to a Unix Shell and highly functional web server. We can now confirm that we intend to rebuild and replace this platform with a view to addressing the availability and stability issues which have been evident in the past. The proposed new platform will also add extra layers of security to increase user data protection, and tackles issues which have hindered timely maintenance of the current CGI platform.

We would like to document the changes we are planning and also allow ample opportunity for customers to provide feedback on these plans. We have worked hard to strike an effective balance between the improvements we need to make, and the overall usability of the platform, however it should be noted at the outset that these changes will come at a cost in terms of the flexibility and freedom that is currently available. The new CGI platform will be configured very differently and it is envisaged that for some customers this will pose difficulties in compatibility between the old and new systems.

While there is a trade-off here, we envisage that the majority of users will experience no issues, or only very minor issues when transferring their CGI content between the two platforms. We estimate that the people who will be most affected are "fringe" users, who have uncommon CGI applications which utilise more obscure modules or binary programs to achieve their goal. We will of course endeavor to accommodate all customers, but it is possible that not all configurations can continue to be supported on the new platform.

With this in mind, it is intended that the two platforms will be operated side by side for an extended period of time. Due to the fact the new platform configuration will vary so different from the old, migration between the two platforms will NOT be forced. Instead customers will be encouraged to trial the new platform to make sure it meets their requirements, before migrating themselves between the platforms. Detailed help will be made available for the new platform to allow easier understanding of the changes that are being made and the implications these may have.

A summary of the main changes between the current platform and the proposed new platform follows:

Change of operating system from FreeBSD to Debian Linux. This will aid support and maintenance and comply with our current internal policies.

- User CGI programs written in common languages will run as that user and not as one single "server" user. This will greatly aid user's data security.

The number of binary commands available on the CGI platform will be reduced. This will remove potentially dangerous and less commonly used binaries in order to lessen security threats. This action will also provide for a slight increase in performance.

Shell access will not be available on the new CGI servers, instead a separate server will exist to allow development with shell access, but these servers themselves will not run web servers. This effectively splits where CGI is developed from where CGI is run, which will aid efficiency and stability, as well as allow greater flexibility in expansion of the service in the future

Better default user umasks. User directories will be created with the safest possible permissions from the outset and then users will need to make their own directories less secure if they have a need to. This removes the onus on users to permission their own files, as they currently need to in order to make them secure.

Access to temporary storage will be restricted to user's own directories. World writable directories such as /tmp will be unavailable to users, instead we would encourage users to put their temporary data within their own filespace.

The following items are also under consideration:

- Ability to point registered domains at user's subdirectories
- Tuning process and resource limits

At this stage in the project, any of the above is subject to change, and we would like to openly extend the opportunity for you to give feedback and suggest changes or additions to the plan. We require all feedback by April 10th, as the estimated delivery timescale for this project is the latter half of April 2005, although this is also subject to change
N/A

CGI Platform Announcement

The biggest question is: will other users be able to read my PHP files??

If they can then there isnt much point me asking my next question as the database passwords will still be able to be got from the PHP files and the data on there can be compromised! Here goes anyway...

Will there be any kind of SSL funtionality, using crofters.force9.net as the domain for example, then adding the user's folder to the end, e.g. https://crofters.force9.net/jarvis/mysecurepage.php


also,

- Will php and mysql be updated?
- Will we be able to run compression/decompression commands such as unzip?


These are the only things that I have found lacking in the current system, although I realise these are large things!


Thanks for keeping us up to date,

Jarv
Plusnet Staff
Plusnet Staff
Posts: 12,169
Thanks: 18
Fixes: 1
Registered: 04-04-2007

CGI Platform Announcement

Hi,

By default it will be setup so that other customers can't read your PHP files, but there aren't plans to offer SSL though.

PHP will be updated to the latest stable version, MySQL is seperate so won't be changed as part of the CGI rebuild.

I believe there will be compression/decompression commands on the build server, but I can't say exactly what at this stage.
N/A

CGI Platform Announcement

Ahh yes forgot MySQL was on different servers Smiley

Stuff like unzip is available to use now but do not work when run by the webserver. It has worked once or twice intermittently which lead me to think that it was something to do with permissions / memory allocation of the webserver than the permissions of my directories.

So im taking the SSL as a definite no. This is a big shame as there doesnt seem to be a secure, professional-looking way of collecting data/passwords from users.

Very glad that there will be a way of setting the permissions of my live php files so that they will be protected and unreadable form other users and other users programs run my the webserver Smiley


Thanks
Dan
Marteknet
Grafter
Posts: 577
Registered: 13-10-2007

Re: CGI Platform Announcement

Quote
however it should be noted at the outset that these changes will come at a cost in terms of the flexibility and freedom that is currently available. The new CGI platform will be configured very differently and it is envisaged that for some customers this will pose difficulties in compatibility between the old and new systems.

The number of binary commands available on the CGI platform will be reduced.

Shell access will not be available on the new CGI servers, instead a separate server will exist to allow development with shell access, but these servers themselves will not run web servers.

Access to temporary storage will be restricted to user's own directories. World writable directories such as /tmp will be unavailable to users, instead we would encourage users to put their temporary data within their own filespace.

At this stage in the project, any of the above is subject to change, and we would like to openly extend the opportunity for you to give feedback and suggest changes or additions to the plan. We require all feedback by April 10th, as the estimated delivery timescale for this project is the latter half of April 2005, although this is also subject to change


Hi Dave.

Can you arrange for more Info to be posted on this subject.
There are issues that I am concerned about as I may be one of the "fringe users".

I need Info on the following items that may be affected by the planned changes.

System commands and temp usage.
I use these commands in some of my scripts, they work just fine now. Will they fail to operate correctly after the changes come in to affect.

tempnam("/tmp", $mytempcode);
system("djpeg $imgfile >$tmpimg");
system("cjpeg -qual 100 $tmpimg > $imgfile");

Also will any of the PHP graphic commands be affected.
Things like:
imagecopyresized ($file_id,$sfile_id,0,0,0,0,320,240,$sfile_width,$sfile_height);
imagejpeg ($file_id,"$tfile");

Can we have the info before the change over, this will help towards maintaining working websites. Please consider that some customers are business accounts and sites that are broken cost money in lost fee's, Clients will only pay for a functioning web site.
N/A

CGI Platform Announcement

That is a very good point actually, will you be keeping the same php modules with the upgrade (such as image functions)?

The image functions are quite important to my website too, though I do not have any customers relying on it, just my personal gallery system which I spent a long time programming. I also use CURL functions to communicate with paypal/nochex servers to get realtime payment confirmation.

If its possible to do so Im sure it would be very helpful to have a list of modules that will be added/removed, and shell commands that will no longer be available/restricted.

If you are taking requests for modules for consideration i'd ike to put forward the zip and/or rar functions Smiley

Feel like im pestering a bit but I want to add my thoughts to this!!

Thanks
Jarv
Plusnet Staff
Plusnet Staff
Posts: 12,169
Thanks: 18
Fixes: 1
Registered: 04-04-2007

CGI Platform Announcement

Hi,

It's a bit too early at the moment for me to say exactly which commands will and won't be there I'm afraid. The new platform is still on the drawing board and some of the things we want to do with it haven't been finalised yet. So I could say yes something is in at the moment and find then when it's built it won't be.

When we actually bring it live the new and old will run in parallel for up to about 6 months so that customers can move their scripts and see if they work, or modify them, or if there's something we could add in easily that would help a lot of customers then add in.

As far as using /tmp is concerned then this may have to be changed. Someone else has suggested that we map /tmp to $HOME/tmp which may be a solution to this, otherwise you may have to make this change yourself.

As for SSL it won't be in the initial build, maybe it's something we'll be able to add a later date, I don't know.
N/A

Re: CGI Platform Announcement

Quote
The following items are also under consideration:

- Ability to point registered domains at user's subdirectories
- Tuning process and resource limits


Dave - I definately want the ability to point registered domains at user's subdirectories.

Neil
Plusnet Staff
Plusnet Staff
Posts: 12,169
Thanks: 18
Fixes: 1
Registered: 04-04-2007

CGI Platform Announcement

Hopefully this is something we can build in, but I can't guarantee it I'm afraid.
nickc
Newbie
Posts: 4
Registered: 20-08-2007

CGI Platform Announcement

Dave,

Just want to add my two pennoth. SSL please. Big please!

Cheers

Nick
N/A

CGI Platform Announcement

Hi,
Just saw this thread.

Two thoughts:
1. If the servers runs the scripts as though they are us, then how would we ensure that the files are read only to the server? This may seem like a very small issue, but I wonder if it could be used to someone's advantage, otherwise. I sugggest that there should be another user, say <username>_web which should run as the web server.

2. (Not sure if this is related) BUT, I just wondered whether JSP support (tomcat?) could be added since if it is java, then it is less vulnerable to some exploits. YOu just have a java container like tomcat which apache connects to via a connector.
Marteknet
Grafter
Posts: 577
Registered: 13-10-2007

Re: CGI Platform Announcement

Quote
The proposed new platform will also add extra layers of security to increase user data protection.


Its very Secure now I cant even find the dam thing.
Community Gaffer
Community Gaffer
Posts: 12,996
Thanks: 771
Fixes: 70
Registered: 04-04-2007

CGI Platform Announcement

Quote
Its very Secure now I cant even find the dam thing.


lol :lol:

Rest assured we are working very hard to try and resolve the problem. An alternative platform has siince been launched so you can upload your data to this in the meantime (assuming you have backups).

Kind Regards,

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

Marteknet
Grafter
Posts: 577
Registered: 13-10-2007

CGI Platform Announcement

Quote
Quote
Its very Secure now I cant even find the dam thing.


lol :lol:

Rest assured we are working very hard to try and resolve the problem. An alternative platform has siince been launched so you can upload your data to this in the meantime (assuming you have backups).

Kind Regards,


I have back up's and will load them as soon as i can, but why isn't force9 doing this allready, afterall they made backup's before starting the working on the server didn't they ? surely its easier just to recover everthing to the new temporary server from that backup than have all your customers who have lost sites doing the same thing. Force9 made the mess they should clear it up.

ref:
Message
f9support

Joined: 08 May 2003
Posts: 15
Location: Sheffield
Posted: 14 Apr 2005 09:38 am Post subject: Service Status: Access to Frontpage and CGI websites - UPDAT

--------------------------------------------------------------------------------

Our Engineers are currently preparing to rebuild the storage platform that hosts the data for both the CGI and FrontPage websites.

As part of these preparations they are currently backing up all the data on this platform as a precautionary measure. This is expected to take around two hours to complete.

Once this has been done they will be able to rebuild the platform and bring it back on line as soon as possible.

Once again we would like to apologise for the inconvenience that this problem may cause and will provide further updates throughout the day.

Kind Regards,
Ben Brown
Customer Support