OpenThought, LLC | Web Hosting, Linux Administration, Application Development, and Training

This page lists the basic restrictions and recommendations regarding software executed by users on our servers, including web applications such as CGI and PHP scripts.

Experimental Software

We recommend that users test/debug experimental software on their own machines before deploying onto a multiuser server environment. If that is not possible or convenient, users should monitor their process usage using tools like top, ps, pstree, or fstat and carefully review the relevant log files.

The gdb debugger is available on all of our servers. For C and C++ applications, use of the -g flag is recommended even for production binaries.

Vulnerable Web Appications

Web applications such as CGI and PHP scripts all execute under user privileges thanks to Apache suEXEC. This means that scripts are able use the file system without requiring insecure permissions (so you can make the data files used by those scripts private, eg. chmod 600), but this also means that a potential attacker can use vulnerable scripts to execute arbitrary code under your account. Therefore it is critical to audit web applications carefully and keep up with security updates when using third-party scripts.

We will immediately suspend accounts that have been compromised (as evidenced by, for example, a "backdoor" program executing, or spam being sent from the account). We can easily track down scripts that have been exploited by spammers since the uid is kept in the "Received:" headers.

Ratware

PHP or CGI scripts which permit a remote user to set an arbitrary recipient allow spammers to send junk mail on behalf of the user. Spammers have methods to detect and exploit vulnerable FormMail scripts. Scripts known to be vulnerable to such arbitrary relaying will be disabled.

CGI-based Page Hit Counters

CGI scripts whose sole purpose is to count page hits are not allowed. FastCGI applications are okay, as long as they do not establish any kind of network connection (ie. a database connection) at every invocation. Counters like these are inaccurate and they slow down the loading of web pages. Apache logs, however, are fully accurate and efficient.

Always operate on the assumption that your website will get several hits per second, even if it is low-profile.

CGI Error Handlers

It is not permitted to use CGI or PHP applications for handling errors like 403 and 404. FastCGI applications are okay, again, as long as they do not establish network/database connections at every hit. HTTP errors are already logged to your ErrorLog file.

Daemons

It's possible to run daemons and background processes, and described in the next section, but explicit permission is required for daemons listening for external connections.

Polling Applications

Any type of user application that runs persistently on the server must use some sort of synchronous I/O multiplexing such that the application does not use any CPU when it is idle. For applications that do not conform to this policy, users should ask explicit permission.

Programming interfaces that allow synchronous I/O multiplexing include:

The select and poll interfaces.
The libevent library.
The Perl POE framework.
The liboop library.
GLib's main event loop.

Statically-Linked Binaries

It is not recommended to link user binaries statically against system libraries, since it might prevent them from picking up eventual security fixes applied to the system libraries.

IRC Bots and Servers

IRC bots such as eggdrop, IRC proxies (or "bouncers") and IRC servers are not allowed on our servers.

Proxy Servers

Users are not allowed to run any type of server-side daemon which forwards connections to arbitrary remote hosts, without explicit approval from us. IRC "bouncers", for instance, fall under this category. We will immediately suspend accounts which are found to run proxy software.

DoS and Spam Tools

This should be more than obvious, but the execution of DoS and spamming tools on the servers is not an acceptable practice and will result in account suspension and/or termination.

Vulnerability Scanners and Exploits

Network scanners such as nmap, scanners for security vulnerabilities or exploits are prohibited on all of our servers, regardless of their intended purpose. If you want to use our servers to perform very specific security audits against your own equipment, please contact us about it.