Re: CGI security on a shared web server (fwd)

From: Lee E. Brotzman (leb@gmss.com)
Date: 05/24/02

• Previous message: Antonomasia: "Re: CGI security on a shared web server"
• Next in thread: Glynn Clements: "Re: CGI security on a shared web server (fwd)"
• Reply: Glynn Clements: "Re: CGI security on a shared web server (fwd)"
• Reply: Pavel Kankovsky: "Re: CGI security on a shared web server (fwd)"
• Reply: George Dinwiddie: "Re: CGI security on a shared web server (fwd)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

To: secprog@securityfocus.com
Date: Fri, 24 May 2002 09:37:13 -0400
From: "Lee E. Brotzman" <leb@gmss.com>

In general, you don't have to have suEXEC to run setuid programs. If you can
set the permission bits on CGI scripts on your shared web server, you can turn
on the setuid bit for those few CGI scripts you need to have setuid.

I don't use suEXEC, mainly because it makes *all* the CGI scripts setuid. I
have a web-based system I wrote in 30,000 lines of Perl. Of those about 4,000
lines of code run setuid. I restrict setuid status to *only* those scripts
that actually have to write data on the system or access restricted data. It
greatly reduces the vulnerability to the system and I have a much smaller pool
of code that I have to scrutinize for the usual dangers of setuid status and
privilege escalation.

If I ran this system under suEXEC, then I'd be worried sick about those 30,000
lines of code. This way I'm still worried, but not sick about it. ;-)

suEXEC also does nothing to actually protect the system from a poorly written
script. It just makes sure the location and ownerships are right. The security
hole your web service provider is worried about probably stems from the idea
of all of a sudden turning on hundreds of setuid scripts of unknown quality on
his system. It would be manageable if you were leasing a single rack-mount
machine, but for a shared virtual hosting box, the liabilities are too high.

-- 
-- Lee E. Brotzman                    E-mail: leb@gmss.com
-- Allied Technology Group            Phone : 814-861-5028

---

• Previous message: Antonomasia: "Re: CGI security on a shared web server"
• Next in thread: Glynn Clements: "Re: CGI security on a shared web server (fwd)"
• Reply: Glynn Clements: "Re: CGI security on a shared web server (fwd)"
• Reply: Pavel Kankovsky: "Re: CGI security on a shared web server (fwd)"
• Reply: George Dinwiddie: "Re: CGI security on a shared web server (fwd)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: CGI security on a shared web server (fwd) ... you don't have to have suEXEC to run setuid programs. ... you can turn on the setuid bit for those few CGI scripts you ... sysadmins will disable that (again, a wise move, IMHO). ... (SecProg) Re: Another flaw in Apache? ... > Don't forget this is not a serious vulnerability in many configurations ... > (if the user already has permission to run cgi scripts without suexec, ... oh well, the child process itself. ... Besides, suexec is pretty ... (Vuln-Dev) Re: CGI security on a shared web server (fwd) ... The living environment of any program invoked by suexec is cleaned up ... > setuid scripts of unknown quality on his system. ... only the account of the idiot who owns the insecure CGI ... better to let a user shoot into his/her own head than to let a user ... (SecProg) Re: Another flaw in Apache? ... user already has permission to run cgi scripts without suexec, SSI, etc). ... (Vuln-Dev) Secure CGI Path Access (translate file path "/" to user homedir) ... i just configured my webserver with suexec, ... Scripts are executed with the users uid. ... How do i prevent the CGI Scripts from ... all file permissions. ... (comp.os.linux.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > secprog  > 2002-05