SPUG: setuid & CGI security (was: site clutter)
Jason Lamport
jason at strangelight.com
Mon Jun 25 23:54:55 CDT 2001
At 5:49 PM -0700 6/25/01, William Julien wrote:
> >
>>A word of warning: drizzle's tech people don't entirely know what
>>they're doing. E.g. they've set up their site so that users' CGI
>>scripts run with the same UID as the web server(!), *not* as the user
>>who owns the account. Not only that, but when I called up to
>>complain, it took me rather a long time to explain to their Unix
>>"guru" why this as a Bad Thing.
>
>Hmmm. Can you explain why it is a "Bad Thing" to have your server
>running as user "nobody" and group "nobody"? It would seem to me, that
>this would provide better security for the system if you ran scripts
>as an unprivlidged user. If your cgi scripts were run under setuid,
>a poorly written script can gain access to files (owned by them) that
>were not explicily permitted by the owner as world write.
The problem with running CGI scripts as "nobody" is that any files
that your scripts can access can also be accessed by any other user
on the system. If you're running your own dedicated web server, this
isn't a problem; but in a multi-user, virtual-server setup like
drizzle's this is a big problem.
If a script runs as setuid, then I can make files accessible to that
script while hiding those files from other users. This is a Good
Thing. If a script runs as "nobody," then in order to have my script
read from a file (such as a password file, for example) I have to
make that file world-readable; and if the script needs to write to a
file, then I need to make that file world-writable. These are Bad
Things.
>
>Halcyon is much more permissive. For example, they allow cgi scripts to
>be located within your document root (cgi-pvt). A "Bad Thing".
>
Now I have a question: why is allowing CGI scripts in the document
root a "Bad Thing"? Most providers I've used allow this, and I
personally find it very convenient: it allows me to put scripts where
they belong logically in the site hierarchy rather than off in a
cgi-bin directory, and lets me create prettier URLs. (One favorite
trick of mine is to use index.cgi files to create "extensionless"
URLs: http://www.foo.com/bar/index.cgi can be accessed as simply
http://www.foo.com/bar/ )
-jason
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
POST TO: spug-list at pm.org PROBLEMS: owner-spug-list at pm.org
Subscriptions; Email to majordomo at pm.org: ACTION LIST EMAIL
Replace ACTION by subscribe or unsubscribe, EMAIL by your Email-address
For daily traffic, use spug-list for LIST ; for weekly, spug-list-digest
Seattle Perl Users Group (SPUG) Home Page: http://www.halcyon.com/spug/
More information about the spug-list
mailing list