SPUG: Re: setuid & CGI security (was: site clutter)
torin at daft.com
Tue Jun 26 02:36:49 CDT 2001
William Julien, in an immanent manifestation of deity, wrote:
>>William Julien, in an immanent manifestation of deity, wrote:
>>>Hmmm. Can you explain why it is a "Bad Thing" to have your server
>>>running as user "nobody" and group "nobody"? It would seem to me, that
>>>this would provide better security for the system if you ran scripts
>>>as an unprivlidged user. If your cgi scripts were run under setuid,
>>>a poorly written script can gain access to files (owned by them) that
>>>were not explicily permitted by the owner as world write.
>>So, if User A runs his scripts as "nobody" and User B runs her scripts
>>as "nobody", what could User A do to User B?
>I'm not sure I quite understand your question. If user "A" and "B" run
>as nobody, they are effectively the same user. The server side id is the
>same. Web servers, by their nature, are "anonymous". So unless the server
>script maintains the user information via cookies or session persistant
>logins, the userid for all users resticted to the "nobody" capability
>defined by the server. The answer to your question can be "anything they
>want to do"; given the security (or lack thereof) of the server.
Right. That's what makes it a "Bad Thing" for everyone to to have their
scripts run as "nobody". Any user can do anything they want to any
other user. I'd define that as bad. It would be trivial to find out
where User B keeps her logs of e-mail contacts or her weblogs. User A
could then plunder and spam all of User B's contacts or even modify and
deface her weblogs...
Not a good thing.
Yes, if it is running as the user, a bug in their scripts could cause
problems but not as bad as the other scenario.
<torin at daft.com><http://www.daft.com/~torin/> <torin at debian.org><perl at slut.org>
Darren Stalder/2608 Second Ave, @282/Seattle, WA 98121-1212/USA/+1-206-ELF-LIPZ
@ <URL:http://www.daft.com/~torin/resume.html> @
@ Unix Sys-Admin / Perl Guru / C expert for hire @
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
POST TO: spug-list at pm.org PROBLEMS: owner-spug-list at pm.org
Subscriptions; Email to majordomo at pm.org: ACTION LIST EMAIL
Replace ACTION by subscribe or unsubscribe, EMAIL by your Email-address
For daily traffic, use spug-list for LIST ; for weekly, spug-list-digest
Seattle Perl Users Group (SPUG) Home Page: http://www.halcyon.com/spug/
More information about the spug-list