[cap-talk] Dan Bernstein's qmail security lessons paper

[David Wagner]

James Donald writes:
>But your company web server does need to be pretty much
>privileged to run your business, and if a guy from
>Nigeria gets control of it, the principle of least
>privilege does not help much.

I think the principle of least privilege can help even there, if applied
properly.  For instance, CGI programs that dynamically generate HTML
content do not need to run as root.  It is helpful to run them in a
minimal-privilege jail, so that a single bug in a single CGI program
cannot compromise your entire web site.

>For things like the webserver, what can help a lot is
>writing stuff in a language that is immune from buffer
>overflows and the like.

That's a good idea, too, but not sufficient on its own (just as the
principle of least privilege is not sufficient on its own).

>Java has dreadful performance problems:

Well, "dreadful" is rhetoric that appeals to emotion rather than reason.
I think it's a good idea to quantify these claims.  How much slower is a
Java-based web server, using metrics that are an appropriate measure of
end-to-end web server performance?

It's my impression that Java is arguably the dominant platform for web
services, in the enterprise world.  How do you reconcile that with your
view of Java?