[Cialug] SOT: What is everyone's favorite FOSS CMS these days?
Nicolai
nicolai-cialug at chocolatine.org
Fri Aug 12 12:42:43 CDT 2011
On Thu, Aug 11, 2011 at 02:24:06PM -0500, Nathan C. Smith wrote:
> Easy to get running would be nice too, but security above all else.
You can check securityfocus.com for a list of vulnerabilities in
software packages, by name. That should help you make a more informed
decision.
Since security is your primary criteria, and only since it sounds common
to run Apache insecurely, I'd say this:
- Run Apache in a chroot, as an unprivelaged user (this is not default?)
- Avoid PHP if you can (and you almost always can)
- Focus on general system hardening: chflags/chattr, mount restrictions
like noexec, file ownership etc., malloc tweaks, minimalist firewall,
propolice and the like, ...
In short, prepare your system such that an eventual webserver compromise
is unlikely to yield anything, under the assumption that whatever CMS
you choose will contain multiple vulnerabilities.
> I'm looking for voices of experience here: I had a system running Drupal
> get owned one time, so fool me one, fool me twice, etc.
How extensive do you need this CMS to be?
When I once needed a CMS, I investigated the possibilities, didn't like
any of them, and just wrote my own. I'm not a good programmer but it
was easy. If a person has written anything useful in Python or Perl, I
think they should also be able to write a CMS that performs every
function required by 99% of the people who have their own. Take a look
at what 99% of people do: post a new page, cp it to the archive, tag it,
occasionally edit an existing page, accept comments (mostly spam or
psychotic rage) shuffle some files around, easy peasy. It doesn't take
a lot of fancy code to do this. If it's your own box you could (for
certain applications) even just use a shell script. Consider rolling
your own. :-)
Nicolai
More information about the Cialug
mailing list