SPUG: setuid & CGI security

El JoPe Magnifico jope at jope.net
Tue Jun 26 10:37:00 CDT 2001

I agree with using using the policy that is most secure from the
perspective of the system itself, and re-evaluating for specific
scripts or users.  That said, I hate authority, and as a user,
I can easily see how this restriction would be a pain. So...

It's not an optimal solution, and only provides read protection,
no write protection, but you can easily encrypt the data files.
The Crypt::* modules are fun 'n easy.

Another hacky workaround that would give you both read and write
protection (though the security soundness is questionable), is to
write a separate prog outside in your document root through which
your CGI script accesses specific files, have it require an auth
token at the start, and make sure the data files are also placed
somewhere outside your document root.  If you don't have access
to a non-webspace area on the web server, or the server is running
chrooted, then this isn't an option.

Spot the above for security holes, I haven't had my coffee yet.  =)

On Mon, 25 Jun 2001, Jason Lamport wrote:
> The problem with running CGI scripts as "nobody" is that any files
> that your scripts can access can also be accessed by any other user
> on the system.  If you're running your own dedicated web server, this
> isn't a problem; but in a multi-user, virtual-server setup like
> drizzle's this is a big problem.
> If a script runs as setuid, then I can make files accessible to that
> script while hiding those files from other users.  This is a Good
> Thing.  If a script runs as "nobody," then in order to have my script
> read from a file (such as a password file, for example) I have to
> make that file world-readable; and if the script needs to write to a
> file, then I need to make that file world-writable.  These are Bad
> Things.

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     POST TO: spug-list at pm.org       PROBLEMS: owner-spug-list at pm.org
      Subscriptions; Email to majordomo at pm.org:  ACTION  LIST  EMAIL
  Replace ACTION by subscribe or unsubscribe, EMAIL by your Email-address
 For daily traffic, use spug-list for LIST ;  for weekly, spug-list-digest
  Seattle Perl Users Group (SPUG) Home Page: http://www.halcyon.com/spug/

More information about the spug-list mailing list