SPUG: Re: setuid & CGI security (was: site clutter)

William Julien moonbeam at catmanor.com
Tue Jun 26 03:27:23 CDT 2001

>>I'm not sure I quite understand your question. If user "A" and "B" run
>>as nobody, they are effectively the same user. The server side id is the
>>same. Web servers, by their nature, are "anonymous". So unless the server
>>script maintains the user information via cookies or session persistant
>>logins, the userid for all users resticted to the "nobody" capability
>>defined by the server. The answer to your question can be "anything they
>>want to do"; given the security (or lack thereof) of the server.
>Right.  That's what makes it a "Bad Thing" for everyone to to have their
>scripts run as "nobody".  Any user can do anything they want to any
>other user.  I'd define that as bad.  It would be trivial to find out
>where User B keeps her logs of e-mail contacts or her weblogs.  User A
>could then plunder and spam all of User B's contacts or even modify and
>deface her weblogs...
>Not a good thing.
>Yes, if it is running as the user, a bug in their scripts could cause
>problems but not as bad as the other scenario.

You mis-understand. It is a "Good Thing" to have everyone run under a
restricted userid (like nobody) than have them have free run as a "real"
user. The nobody user generaly has less privledge than a normal user.
This provides better security. 

Of course, the degree of security depends on the degree of freedom
by the server admin. For two years, I had to convince (beg and plead)
my business addin to allow me CGI. Before that, all scripts were 
evaluated and a decision was made on a per script basis if it would
be allowed on the server. After I had demonstrated my "god like" cgi
capability, they gave me unrestricted access.

I agree with this policy. I feel that trust should be earned. But I
also see that this level of interaction is less practical in the secure
commercial market. The market needs to stike a balance between security
and usability. 

Jason should feel lucky. As an admin, I would have said "no".

   William Julien           _,'|            _.-''``-...___..--';
moonbeam at catmanor.com      /, \'.      _..-' ,      ,--...--'''
 vi is my shepherd;       < \   .`--'''      `     /| 
 i shall not font.         `-,;'              ;   ; ;  
                     __...--''     __...--_..'  .;.'  
                    (,__....----'''      (,..--''     
perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
perl -e '( $ ,, $ ")=("a".."z")[0,-1]; print "sh", $ ","m\n";;";;"'

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     POST TO: spug-list at pm.org       PROBLEMS: owner-spug-list at pm.org
      Subscriptions; Email to majordomo at pm.org:  ACTION  LIST  EMAIL
  Replace ACTION by subscribe or unsubscribe, EMAIL by your Email-address
 For daily traffic, use spug-list for LIST ;  for weekly, spug-list-digest
  Seattle Perl Users Group (SPUG) Home Page: http://www.halcyon.com/spug/

More information about the spug-list mailing list