3.2. Security not by obscurity

Security is one of most important things in enterprise systems nowadays. It's also very important for me. That's way I performed some steps to make this system secure.

3.2.1. Steps done to make this system secure

From the beginning v-q is developed using C++ and Standard Template Library. I try not to reinvent wheel, when possible I use known and checked software. STL and C++ include common algorithms and data structures which have been checked by many developers.

I try to keep this code as simple as possible, don't use any obfuscation techniques :-) It's simple in design, it's coded in a simple way. I try to maintain decent comments in code but I think that simpler code is better that larger documentation.

I use automates to create code. For example I decided to use CORBA because it automates creation of communication protocol between daemons.

From version 5 I started creating and performing unit testing as often as I can. For every bug found I create test before I fix it, that way I prevent it to be introduced again in next version.

The most important thing I do to make this system stable and secure is using it on my own servers.

3.2.2. Limiting access to sockets

One of the steps that can be performed to secure system is to limit access to sockets used by daemons during communication.

Directory contrib/service includes sample scripts to run daemons under daemontools (see http://cr.yp.to for informations about package). As you can see all daemons are executed with:

-ORBIIOPAddr "unix:/var/vq/sockets/$PROG.sock"

This argument tells CORBA implementation to use Unix sockets as a communication channel. Unix sockets are stored in a file system so you can limit access i.e. using chmod. Use

chmod 700 /var/vq/sockets

to limit access only to all processes run by owner of /var/vq/sockets directory.

If you want to allow processes run by different users to access daemons it's advised to create special group which will have access to Unix sockets and run all those processes with this group.

Hosted by: BerliOS Logo SourceForge.net Logo