[pgh-pm] Restricting File I/O in Apache

Tom Moertel tom at moertel.com
Wed Feb 16 15:02:08 PST 2005


James O'Kane wrote:
> Hopefully I'll remember to give all the details of the scenario.
> 
> I'm trying to find a way to keep one cgi script from reading the 
> contents of any file that isn't owned by the same user.

Does this mean that if user X runs the script, it cannot read user Y's 
files, even if the files are otherwise readable by X (say mode 664)?  If 
so, that's a tall order.  If, on the other hand, you just want the 
script to be run as X, letting normal Linux permissions handle the rest, 
that should not be too hard (e.g., via suid wrapper or sbox).

> http://stein.cshl.org/~lstein/sbox/ looks like it would almost work, but 
> it would require making a small filesystem in the user's home directory 
> for chroot to work, ...

Are your requirements such that you can use sbox without its chroot 
features?

> An idea I had was to do something with Apache::PerlRun and do some setup 
> before invoking the users' script. Ideally, I would need to write or 
> find something that intercepted open calls and checked permissions 
> before allowing them to happen. I'd like to avoid writing this myself 
> because I'm sure I would miss something.

Is Apache running as a user that has access to every script user's 
files?  In other words, if Apache is running as user A, and user X wants 
to run the script to access a file that he owns with permissions 600, 
how would you do it?  Unless A is root (naughty), you cannot, right?

For this reason, sbox or a suid wrapper looks like the simplest approach.

Cheers,
Tom


More information about the pgh-pm mailing list