SPUG: Re: setuid & CGI security (was: site clutter)
William Julien
moonbeam at catmanor.com
Tue Jun 26 03:27:23 CDT 2001
>>
>>I'm not sure I quite understand your question. If user "A" and "B" run
>>as nobody, they are effectively the same user. The server side id is the
>>same. Web servers, by their nature, are "anonymous". So unless the server
>>script maintains the user information via cookies or session persistant
>>logins, the userid for all users resticted to the "nobody" capability
>>defined by the server. The answer to your question can be "anything they
>>want to do"; given the security (or lack thereof) of the server.
>
>Right. That's what makes it a "Bad Thing" for everyone to to have their
>scripts run as "nobody". Any user can do anything they want to any
>other user. I'd define that as bad. It would be trivial to find out
>where User B keeps her logs of e-mail contacts or her weblogs. User A
>could then plunder and spam all of User B's contacts or even modify and
>deface her weblogs...
>
>Not a good thing.
>
>Yes, if it is running as the user, a bug in their scripts could cause
>problems but not as bad as the other scenario.
>
>Darren
You mis-understand. It is a "Good Thing" to have everyone run under a
restricted userid (like nobody) than have them have free run as a "real"
user. The nobody user generaly has less privledge than a normal user.
This provides better security.
Of course, the degree of security depends on the degree of freedom
by the server admin. For two years, I had to convince (beg and plead)
my business addin to allow me CGI. Before that, all scripts were
evaluated and a decision was made on a per script basis if it would
be allowed on the server. After I had demonstrated my "god like" cgi
capability, they gave me unrestricted access.
I agree with this policy. I feel that trust should be earned. But I
also see that this level of interaction is less practical in the secure
commercial market. The market needs to stike a balance between security
and usability.
Jason should feel lucky. As an admin, I would have said "no".
---
William Julien _,'| _.-''``-...___..--';
moonbeam at catmanor.com /, \'. _..-' , ,--...--'''
vi is my shepherd; < \ .`--''' ` /|
i shall not font. `-,;' ; ; ;
__...--'' __...--_..' .;.'
(,__....----''' (,..--''
perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
perl -e '( $ ,, $ ")=("a".."z")[0,-1]; print "sh", $ ","m\n";;";;"'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
POST TO: spug-list at pm.org PROBLEMS: owner-spug-list at pm.org
Subscriptions; Email to majordomo at pm.org: ACTION LIST EMAIL
Replace ACTION by subscribe or unsubscribe, EMAIL by your Email-address
For daily traffic, use spug-list for LIST ; for weekly, spug-list-digest
Seattle Perl Users Group (SPUG) Home Page: http://www.halcyon.com/spug/
More information about the spug-list
mailing list