SPUG: setuid & CGI security (was: site clutter)

Jason Lamport jason at strangelight.com
Mon Jun 25 23:54:55 CDT 2001 

At 5:49 PM -0700 6/25/01, William Julien wrote:
>  >
>>A word of warning:  drizzle's tech people don't entirely know what
>>they're doing.  E.g. they've set up their site so that users' CGI
>>scripts run with the same UID as the web server(!), *not* as the user
>>who owns the account.  Not only that, but when I called up to
>>complain, it took me rather a long time to explain to their Unix
>>"guru" why this as a Bad Thing.
>
>Hmmm. Can you explain why it is a "Bad Thing" to have your server
>running as user "nobody" and group "nobody"? It would seem to me, that
>this would provide better security for the system if you ran scripts
>as an unprivlidged user. If your cgi scripts were run under setuid,
>a poorly written script can gain access to files (owned by them) that
>were not explicily permitted by the owner as world write.

The problem with running CGI scripts as "nobody" is that any files 
that your scripts can access can also be accessed by any other user 
on the system.  If you're running your own dedicated web server, this 
isn't a problem; but in a multi-user, virtual-server setup like 
drizzle's this is a big problem.

If a script runs as setuid, then I can make files accessible to that 
script while hiding those files from other users.  This is a Good 
Thing.  If a script runs as "nobody," then in order to have my script 
read from a file (such as a password file, for example) I have to 
make that file world-readable; and if the script needs to write to a 
file, then I need to make that file world-writable.  These are Bad 
Things.

>
>Halcyon is much more permissive. For example, they allow cgi scripts to
>be located within your document root (cgi-pvt). A "Bad Thing".
>

Now I have a question: why is allowing CGI scripts in the document 
root a "Bad Thing"?  Most providers I've used allow this, and I 
personally find it very convenient: it allows me to put scripts where 
they belong logically in the site hierarchy rather than off in a 
cgi-bin directory, and lets me create prettier URLs. (One favorite 
trick of mine is to use index.cgi files to create "extensionless" 
URLs:  http://www.foo.com/bar/index.cgi can be accessed as simply 
http://www.foo.com/bar/ )

-jason

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     POST TO: spug-list at pm.org       PROBLEMS: owner-spug-list at pm.org
      Subscriptions; Email to majordomo at pm.org:  ACTION  LIST  EMAIL
  Replace ACTION by subscribe or unsubscribe, EMAIL by your Email-address
 For daily traffic, use spug-list for LIST ;  for weekly, spug-list-digest
  Seattle Perl Users Group (SPUG) Home Page: http://www.halcyon.com/spug/

More information about the spug-list mailing list