Re: CGI security on a shared web server

From: Antonomasia (ant@notatla.demon.co.uk)
Date: 05/23/02 

To: gdinwiddie@min.net, secprog@securityfocus.com
Date: Thu, 23 May 2002 22:48:36 +0100 (BST)
From: ant@notatla.demon.co.uk (Antonomasia)

From: George Dinwiddie <gdinwiddie@min.net>

> I am renting server space on a shared machine which runs my site, and
> others, as virtual domains on a single instance of Apache. CGI programs
> run under the uid 'nobody', as does the server itself. This means that
> if I want to provide write access to a data file, I must allow world
> write access to that file. It also means that if my CGI program
> creates a data file, that file is owned by 'nobody' and I do not have
> full privileges over my own data. Since the box has multiple
> legitimate users, all users of the box have just as much access to
> my data as I do.

I agree that this is a problem. If I were trying to provide a service
of this kind I'd want to use something similar to suexec to switch to
a different UID for each virtual host; and none of them would be "nobody".
Each customer would have 2 accounts too - one used in suexec and one with
which to prepare web pages etc. Never having configured a virtual host
webserver I can't comment reliably on how hard that would be to do but
provided wrapper programs can be told the virtual host involved I think
the rest should present no problem to many people on this list. That it
would unsettle some ISPs doesn't surprise me.

> I've asked the owner of the server to enable the suEXEC feature of
> Apache. The response I've gotten is that this is a security
> vulnerability.

They're entitled to take that view and risk losing your business.
Can you interest them in running another apache somewhere just for you ? 

--
##############################################################
# Antonomasia   ant notatla.demon.co.uk                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################

Relevant Pages

  • Re: apache question
    ... # Based upon the NCSA server configuration files originally by Rob McCool. ... # configuration directives that give the server its instructions. ... Directives that control the operation of the Apache server process as ...
    (alt.php)
  • Re: Apache and SSL
    ... # Based upon the NCSA server configuration files originally by Rob McCool. ... # This is the main Apache server configuration file. ... # configuration directives that give the server its instructions. ...
    (RedHat)
  • Re: Apache vs IIS
    ... Windows Server not on my Linux Server so there for I would chose IIS. ... Not that Apache is bad but ASP.NET is far easier and faster to create good web forms in. ... PHP on a IIS server is rather easy to run once you install PHP on a PC but if you only use PHP why not use Apache for Windows. ...
    (alt.php)
  • Re: HTTP servers on z/OS
    ... developed by the Apache Software Foundation. ... Also know as IHS ... "...the current IBM HTTP Server for z/OS and IHS for z/OS Powered by Apache, ...
    (bit.listserv.ibm-main)
  • Re: webalizer
    ... I'm trying to get webalizer and apache working together. ... # Based upon the NCSA server configuration files originally by Rob McCool. ... # configuration directives that give the server its instructions. ...
    (freebsd-questions)