[EP-tech] Re: Secrurity profile of E-Pirnts

Tim Brody tdb2 at ecs.soton.ac.uk
Fri Aug 10 09:13:24 BST 2012


On Thu, 2012-08-09 at 15:58 -0600, Francisco Ralón wrote:
> Dear friends: 
> 
>  
> 
> We have developed a virtual library using E-Prints, and up to now we
> have some 500 records in it.  But now that I thought we are ready to
> put it on line, our informatics manager is questioning what he calls
> “the security profile” of this software.  He wants me to tell him what
> risks we run if we install our virtual library in the institutional
> server.   I am a librarian, not an informatics professional, and I do
> not find any information regarding this issue in the E-Prints website.
> ¿How can E-Prints affect other softwares installed in the same server?
> ¿Can it serve as gateway to viruses, Trojans, etc. which  would infect
> the server?  ¿What other risks might it have?  Are there documented
> cases of problems with security issues that would be helpful to me?  

Hi,

I'm not aware of an occasion when EPrints has been exploited. (Trying
not to tempt fate ...)

As a general rule you have to be able to trust contributing users of the
EPrints system, because there are no restrictions on what a user can
upload (be it malicious or just unwanted).

If you allow (default) admin users to edit configuration files then an
admin user could gain control of your server. You can avoid this by
running EPrints under a non-root Apache process and reverse-proxying it
from a port 80 Apache. Of course you don't want to have your admin
accounts compromised anyway :-)

-- 
All the best,
Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
Url : http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20120810/e089e92e/attachment.bin 


More information about the Eprints-tech mailing list