Re: [gbd-dev] Multi-user Debugging on Linux Server
Status: Beta
Brought to you by:
mccabe
From: Aaron M. <wmc...@ho...> - 2005-06-26 15:15:51
|
Sounds pretty good to me. Any insecure functionality could be disabled by default and hopefully only enabled in a secure environment. The documentation could warn the user of the risks of enabling the functionality and advise what security measures should be in place. Will we be getting rid of the localsettings file parameter? One of the things I like about it is that it allows a user to have simultaneous debug sessions and allows multiple projects to be debugged at the same time but independently. I could go either way on this. Will "user" be a request parameter so that Gubed will know to read a user specific settings file? The user specific settings file should maybe include all the content of the current localsettings file so that a user could also use their own cache and do-not-debug list (and history file if it gets moved into localsettings). Thanks, Aaron McDonald --------------------------------------------------------------------------------------------------------------- Perhaps then we should have two setting files, global and user. In the global setting file you can set defaults and here we could also have settings like: * allow remote debuggers - ie non localhosts * show developer help - which enables/disables the debug subdir * allow port/host on request * Also default host and port could be specified here. In the user settings files (which probably shouldnt be php files then, but normal config files) only host and port can be overridden. Is this a good compromise? /linus On Sunday 26 June 2005 01.12, Brett Serkez wrote: >After reading both posts, I can see the difficulities of both security >and implementation. > >I agree that what ever is done, must be secure or gubed will not be >used. > >As a thought, we could optionally restrict the DebugServer to >'localhost'. When this restriction is in place, any individuals needing >to debug need to either log on and start the debugger locally or run >secure shell as previously described to create a local port to bring the >session back to their local system. This would give the local system >administrator strict control over who could debug, but not what they >could debug. > >On this second point, seems to me that StartSession.php (soft-link or >real) must exist at or below the directory to be debugged, while this >doesn't control who can debug what, it does limit what can be debugged >control by existing access to the host's directory structure. > >I favor allowing specification of ports on the url for maximum >flexibility, presuming the security issue is resolved. > >Brett > >------------------------------------- >Brett C. Serkez, Technical Trainer > |