RE: CGI security on a shared web server

From: Martijn de Jong (mdjong@ada.nl)
Date: 05/31/02 

Date: Fri, 31 May 2002 08:00:27 +0200
From: "Martijn de Jong" <mdjong@ada.nl>

please unsubscribe rhie@brezan.nl

-----Oorspronkelijk bericht-----
Van: Simon Burr [mailto:simes@bpfh.net]
Verzonden: donderdag 30 mei 2002 19:30
Aan: Jeff Dafoe
CC: George Dinwiddie; secprog@securityfocus.com
Onderwerp: Re: CGI security on a shared web server

On Wed, May 29, 2002 at 03:46:54PM -0400, Jeff Dafoe wrote:
> Each virtualhost is individually configured such that suexec executes CGIs
>as the user/group that the virtual host owner logs in as.

You can also add chroot()ing the user into their home directory and the
configuration of resource limits as well. The chroot()ing bit does mean that
you have to place various files which will be required by the user's CGI
scripts into the user's home directory - you can use hard links (has problems
with administration and needing to have the source files on the same partition
as the home directories) or loopback mounts (setting up the mount points on
the fly isn't a great idea on a heavily loaded system tho) to do this.

You also have to be careful with what you place within the chroot() environment
to make sure that the user can't gain root privs as its relatively simple to
break out of a chroot() jail on most unix varients as root. The exception to
this is FreeBSD which has chroot() return an error if the calling process has
already called chroot() and it has a file descriptor open on a directory; this
effectively stops the chroot() escape method. 

-- 
    Simon the stressed         http://www.bpfh.net/           simes@bpfh.net
 "Our company name changes so often we have to use plain mugs and PostIt notes"

Relevant Pages

  • Re: CGI security on a shared web server
    ... You can also add chrooting the user into their home directory and the ... as the home directories) or loopback mounts (setting up the mount points on ... You also have to be careful with what you place within the chroot() environment ... to make sure that the user can't gain root privs as its relatively simple to ...
    (SecProg)
  • Re: Giving limited access to remote FTP user via vsftpd
    ... I always chroot the user. ... chroot the user, then create symblink in the users home directory, to ... but is a wonderful feature if you use it right. ... get a custom view of FTP that can follow any path I let them into. ...
    (Fedora)
  • Re: Defining root directory for sftp-server logins
    ... a used cannot escape his home directory (e.g. get a ... listing of all users in /home). ... You need to implement chroot cages, ... This is not the chroot listed in OpenSSH's sshd_config ...
    (comp.security.ssh)
  • Re: OpenSSH CHROOT newbie
    ... >solution to keep users within a home directory. ... >Chroot plugin for SSH, but for the life of me I cannot figure out how to ... You then need to install a chroot cage in the "/./" ...
    (comp.security.ssh)
  • [openSSH] home dir shared between users
    ... I have a host which allows sftp/scp access via user ... All users share one common home directory. ... the username of a different user to login as the users all share ... create a separate home dir in the chroot for every user and do a bind mount ...
    (comp.security.ssh)