SPUG: Re: setuid & CGI security (was: site clutter)
William Julien
moonbeam at catmanor.com
Tue Jun 26 02:06:13 CDT 2001
>
>William Julien, in an immanent manifestation of deity, wrote:
>>Hmmm. Can you explain why it is a "Bad Thing" to have your server
>>running as user "nobody" and group "nobody"? It would seem to me, that
>>this would provide better security for the system if you ran scripts
>>as an unprivlidged user. If your cgi scripts were run under setuid,
>>a poorly written script can gain access to files (owned by them) that
>>were not explicily permitted by the owner as world write.
>
>So, if User A runs his scripts as "nobody" and User B runs her scripts
>as "nobody", what could User A do to User B?
>
>Darren
I'm not sure I quite understand your question. If user "A" and "B" run
as nobody, they are effectively the same user. The server side id is the
same. Web servers, by their nature, are "anonymous". So unless the server
script maintains the user information via cookies or session persistant
logins, the userid for all users resticted to the "nobody" capability
defined by the server. The answer to your question can be "anything they
want to do"; given the security (or lack thereof) of the server.
---
William Julien _,'| _.-''``-...___..--';
moonbeam at catmanor.com /, \'. _..-' , ,--...--'''
vi is my shepherd; < \ .`--''' ` /|
i shall not font. `-,;' ; ; ;
__...--'' __...--_..' .;.'
(,__....----''' (,..--''
perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
perl -e '( $ ,, $ ")=("a".."z")[0,-1]; print "sh", $ ","m\n";;";;"'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
POST TO: spug-list at pm.org PROBLEMS: owner-spug-list at pm.org
Subscriptions; Email to majordomo at pm.org: ACTION LIST EMAIL
Replace ACTION by subscribe or unsubscribe, EMAIL by your Email-address
For daily traffic, use spug-list for LIST ; for weekly, spug-list-digest
Seattle Perl Users Group (SPUG) Home Page: http://www.halcyon.com/spug/
More information about the spug-list
mailing list