SPUG: site clutter

William Julien moonbeam at catmanor.com
Mon Jun 25 19:49:45 CDT 2001

>A word of warning:  drizzle's tech people don't entirely know what 
>they're doing.  E.g. they've set up their site so that users' CGI 
>scripts run with the same UID as the web server(!), *not* as the user 
>who owns the account.  Not only that, but when I called up to 
>complain, it took me rather a long time to explain to their Unix 
>"guru" why this as a Bad Thing.

Hmmm. Can you explain why it is a "Bad Thing" to have your server
running as user "nobody" and group "nobody"? It would seem to me, that
this would provide better security for the system if you ran scripts
as an unprivlidged user. If your cgi scripts were run under setuid,
a poorly written script can gain access to files (owned by them) that
were not explicily permitted by the owner as world write.

You can configure apache to run scripts as setuid. It is an option
availble within apache (I understand it is configurable on a per-file
basis via the setgid bit). But I would consider that a "Bad Thing"
for the general security of the system unless you are very careful
how you set it up. Apache provides strong warnings regarding this.

>They set up this really annoying kludge just for my account (all my 
>scripts have to be called via a URL like 
>http://www.mydomain.org/cgi-bin/cgiwrap/myusername/myscript.cgi ), 
>but AFAIK everyone else's CGIs are still running as the web server.

This is simular to how the apache suexec program works. By default, and
for good reason, this facility is not configured within the apache server.

See....  http://httpd.apache.org/docs/suexec.html

Generally, I have found the security measures on drizzle to be much
more advanced than on halcyon. Their tech support did need help with the
"chsh" command, but I simply pointed them to the man page. By default,
this command is suid and I would have changed my own shell. But they
removed the suid root bit to chsh. A Good Thing.

They run "nobody" as uid 140 and gid 99. This enhances the security since
intruders have to guess the "nobody" uid/gid. Sendmail runs as "nobody",
as does portmapper and several other facilities. On their web server,
validation is done via a nis server and the passwd files do not contain
a list of the valid userids. They have locked up /home so that one can
only see your own files.  I'm afraid, I have to disagree. Drizzle is
the most secure server I have seen to date (This includes the ones I maintain).

Halcyon is much more permissive. For example, they allow cgi scripts to
be located within your document root (cgi-pvt). A "Bad Thing".

   William Julien           _,'|            _.-''``-...___..--';
moonbeam at catmanor.com      /, \'.      _..-' ,      ,--...--'''
 vi is my shepherd;       < \   .`--'''      `     /| 
 i shall not font.         `-,;'              ;   ; ;  
                     __...--''     __...--_..'  .;.'  
                    (,__....----'''      (,..--''     
perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
perl -e '( $ ,, $ ")=("a".."z")[0,-1]; print "sh", $ ","m\n";;";;"'

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     POST TO: spug-list at pm.org       PROBLEMS: owner-spug-list at pm.org
      Subscriptions; Email to majordomo at pm.org:  ACTION  LIST  EMAIL
  Replace ACTION by subscribe or unsubscribe, EMAIL by your Email-address
 For daily traffic, use spug-list for LIST ;  for weekly, spug-list-digest
  Seattle Perl Users Group (SPUG) Home Page: http://www.halcyon.com/spug/

More information about the spug-list mailing list