SPUG: setuid & CGI security

El JoPe Magnifico jope-spug at jope.net
Tue Jun 26 15:27:29 CDT 2001

>> It's not an optimal solution, and only provides read protection,
>> no write protection, but you can easily encrypt the data files.
>> The Crypt::* modules are fun 'n easy.
> How do you decrypt them without making the decrypting password
> world-readable?

Hmm, I was just thinking put it in the CGI script itself.  Except
I forgot that CGI scripts (or any script) need to be readable as
well as executable.  So any local user can read the script.  Curses!
Oh well, encryption is a pain in the ass (*) anyway.

[* day-job angst, please ignore =]

>> Another hacky workaround that would give you both read and write
>> protection (though the security soundness is questionable), is to
>> write a separate prog outside in your document root through which
>> your CGI script accesses specific files, have it require an auth
>> token at the start,

And same goes here.  If there were some other way to reliably verify
what the calling (parent) script was, that would suffice.  Checking
its environment is no good, because that can br modified.  Is there
anything else?

Y'know, the more I think about it, that cgiwrap prog isn't such a bad
thing.  It can chroot your script, which takes much of the danger to
the system out of running CGI scripts as the user, and still gives you
all the freedom you are after:


Further, it is possible to avoid the cumbersome prefix in the URL path,
they just need to add a couple Rewrite rules to the server config:


Maybe that's what you should be asking for, if that was your gripe.

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     POST TO: spug-list at pm.org       PROBLEMS: owner-spug-list at pm.org
      Subscriptions; Email to majordomo at pm.org:  ACTION  LIST  EMAIL
  Replace ACTION by subscribe or unsubscribe, EMAIL by your Email-address
 For daily traffic, use spug-list for LIST ;  for weekly, spug-list-digest
  Seattle Perl Users Group (SPUG) Home Page: http://www.halcyon.com/spug/

More information about the spug-list mailing list