[Chicago-talk] chown inside a script

Ted Zlatanov tzz at lifelogs.com
Thu Dec 6 07:59:25 PST 2007

On Wed, 05 Dec 2007 22:38:10 -0600 Jonathan Rockway <jon at jrock.us> wrote: 

JR> On Wed, 2007-12-05 at 22:28 -0600, Jay Strauss wrote:
>> Thanks.
>> But I don't think that will work in my case, because I'm doing it from
>> a web page, I had to create an suid link to chown, to call from my
>> cgi.
>> Unless there is some way to do it from inside perl, but still change
>> ownership of file not owned by the webserver.

JR> This is a massive security nightmare.  Consider the case where someone
JR> symlinks /path/that/matches/your.glob to /etc/shadow.  You've just
JR> rendered the system unusable.

JR> Also, keep in mind that you can't create a "setuid link".  chmod follows
JR> symlinks and updates the original file.

I think chroot to a known good path that contains only data files (plus
a minimal chown setup) would work.  Symlinks to the outside won't
resolve inside such an environment.  Hard links will, if the filesystem
was shared, so don't put the data files on the /etc filesystem.  The
worst an attacker could do is corrupt the data inside the chroot
environment.  It's a pain to set it all up, though.


More information about the Chicago-talk mailing list