Re: CGI security on a shared web server (fwd)
From: Luciano Miguel Ferreira Rocha (strange@nsk.no-ip.org)Date: 05/28/02
- Previous message: George Dinwiddie: "Re: CGI security on a shared web server (fwd)"
- In reply to: Lee E. Brotzman: "Re: CGI security on a shared web server (fwd)"
- Next in thread: George Dinwiddie: "Re: CGI security on a shared web server (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 May 2002 22:19:22 +0100 From: Luciano Miguel Ferreira Rocha <strange@nsk.no-ip.org> To: "Lee E. Brotzman" <leb@gmss.com>
On Tue, May 28, 2002 at 08:50:55AM -0400, Lee E. Brotzman wrote:
> > 1. With suexec, only the account of the idiot who owns the insecure CGI
> > program is compromised.
> > 2. Without suexec, the account the daemon and all other CGI programs run
> > under is compromised.
>
> Not necessarily. If the insecure CGI program was running setuid with the UID
> of the "idiot's" account then option 2 will not endanger the daemon any more
> than option 1 will.
Actually, it will. It will have the privileges of the user it's set
setuid to, and also of the webserver's user: setuid(getuid()).
Also, note that using suEXEC is not the same as a setuid script. The
environment is sanitized, only setuid(2) to certain uids/gids are allowed,
and you can't get back the lost privileges.
> If suexec had an option for specifying which CGI programs to run setuid, then
> I agree that it is a decent wrapper program. Until then, I ain't agonna use it.
I don't think it has. But nobody is stopping you from changing the source
to your needs. :)
Regards
-- Luciano Rocha, strange@nsk.yi.org
- Previous message: George Dinwiddie: "Re: CGI security on a shared web server (fwd)"
- In reply to: Lee E. Brotzman: "Re: CGI security on a shared web server (fwd)"
- Next in thread: George Dinwiddie: "Re: CGI security on a shared web server (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
