SPUG: Re: setuid & CGI security (was: site clutter)

Darren/Torin/Who Ever... torin at daft.com
Tue Jun 26 02:36:49 CDT 2001 

William Julien, in an immanent manifestation of deity, wrote:
>>William Julien, in an immanent manifestation of deity, wrote:
>>>Hmmm. Can you explain why it is a "Bad Thing" to have your server
>>>running as user "nobody" and group "nobody"? It would seem to me, that
>>>this would provide better security for the system if you ran scripts
>>>as an unprivlidged user. If your cgi scripts were run under setuid,
>>>a poorly written script can gain access to files (owned by them) that
>>>were not explicily permitted by the owner as world write.
>>
>>So, if User A runs his scripts as "nobody" and User B runs her scripts
>>as "nobody", what could User A do to User B?
>>
>>Darren
>
>I'm not sure I quite understand your question. If user "A" and "B" run
>as nobody, they are effectively the same user. The server side id is the
>same. Web servers, by their nature, are "anonymous". So unless the server
>script maintains the user information via cookies or session persistant
>logins, the userid for all users resticted to the "nobody" capability
>defined by the server. The answer to your question can be "anything they
>want to do"; given the security (or lack thereof) of the server.

Right.  That's what makes it a "Bad Thing" for everyone to to have their
scripts run as "nobody".  Any user can do anything they want to any
other user.  I'd define that as bad.  It would be trivial to find out
where User B keeps her logs of e-mail contacts or her weblogs.  User A
could then plunder and spam all of User B's contacts or even modify and
deface her weblogs...

Not a good thing.

Yes, if it is running as the user, a bug in their scripts could cause
problems but not as bad as the other scenario.

Darren
-- 
<torin at daft.com><http://www.daft.com/~torin/> <torin at debian.org><perl at slut.org>
Darren Stalder/2608 Second Ave, @282/Seattle, WA 98121-1212/USA/+1-206-ELF-LIPZ
@                <URL:http://www.daft.com/~torin/resume.html>                 @
@               Unix Sys-Admin / Perl Guru / C expert for hire                @

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     POST TO: spug-list at pm.org       PROBLEMS: owner-spug-list at pm.org
      Subscriptions; Email to majordomo at pm.org:  ACTION  LIST  EMAIL
  Replace ACTION by subscribe or unsubscribe, EMAIL by your Email-address
 For daily traffic, use spug-list for LIST ;  for weekly, spug-list-digest
  Seattle Perl Users Group (SPUG) Home Page: http://www.halcyon.com/spug/

More information about the spug-list mailing list