There were a couple of times when I considered doing something like this for various reasons. A few things to consider (if you haven't already).<br><br><ul><li>Use the 'system()' function with arguments, instead of a full command-line string using back-ticks. This will reduce or eliminate the need to strip special characters that could possibly be used to execute any sub-commands.<br>
</li><li>Have your script do an md5 on the command and compare it to a protected list somewhere, or to an array of md5 strings kept within your script.</li><li>Chroot the commands that you want to execute. This means chrooting "perl" itself, along with it's libraries.<br>
</li><li>Have perl execute as a non-root account (you wouldn't believe how much this is overlooked, and so simple to fix)</li><li>Why use a text field? Use a select/dropdown, so you know exactly what the user could possibly execute, and make sure you submit it via POST. Use SSL.</li>
<li>Be strict with Apache, do not "FollowSymLinks" unless it is necessary. Don't put data in the CGI directory. Don't make directories listable if there isn't an 'index.html'</li></ul>There are probably a lot of other things you can do, depending on how strict you want to be. If you have the time, I say go whole-hog on it for the experience, and share the details with us :)<br>
<br><div class="gmail_quote">On Wed, Feb 18, 2009 at 2:39 PM, Fulko Hew <span dir="ltr"><<a href="mailto:fulko.hew@gmail.com">fulko.hew@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<span style="font-family: courier new,monospace;">Problem:</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">I'm providing a mechanism so that a system can be configured<br>
to 'run' executables</span><span style="font-family: courier new,monospace;"> on remote machines based on configuration<br>information submitted in a CGI text field.</span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">Obviously I don't want to allow the user to trash the system.</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">I'm going to:</span><br style="font-family: courier new,monospace;"><br style="font-family: courier new,monospace;"><span style="font-family: courier new,monospace;">1/ restrict the system to allow it to only execute 'trusted' apps<br>
located in a 'known' directory. (can I make a chroot jail in Perl/CGI?)<br><br style="font-family: courier new,monospace;"></span><span style="font-family: courier new,monospace;">2/ strip characters from the invocation string that could be used to hurt me:</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> semicolon - because another malicious command could follow<br> backtic - because that could run another program<br> ( ) - because that could invoke a sub-shell to run ...<br>
| - because that could invoke ...<br> & - because other stuff might follow<br> > - because that could clobber an important file<br><br> any \0xxx string that represents any of the above 'nasty' characters.<br>
<br>Tainging only talks about the concept, not what to de-taint.<br><br>- Are there any other things I should check for/prevent?<br>- Is there any standard/common resource on the web that you<br> know of that talks about this (that I haven't found yet)?<br>
<br>TIA<br>Fulko<br><br><br style="font-family: courier new,monospace;"></span>
<br>_______________________________________________<br>
toronto-pm mailing list<br>
<a href="mailto:toronto-pm@pm.org">toronto-pm@pm.org</a><br>
<a href="http://mail.pm.org/mailman/listinfo/toronto-pm" target="_blank">http://mail.pm.org/mailman/listinfo/toronto-pm</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>J. Bobby Lopez<br>Web: <a href="http://jbldata.com/">http://jbldata.com/</a><br>Twitter: <a href="http://www.twitter.com/jbobbylopez">http://www.twitter.com/jbobbylopez</a><br>
<br>