Re: How to install a program to run from a cgi - securely - newbie ?

From: Adaptrx (adaptr@adaptr.xs4all.nl)
Date: 01/31/02 

From: "Adaptrx" <adaptr@adaptr.xs4all.nl>
Date: Thu, 31 Jan 2002 22:28:47 +0100

"David Jourard" <bytes@eol.ca> wrote in message
news:3C58E344.B576305B@eol.ca...
> Hi,
>
> I'm new to web adminstration and installation; so I was wondering is it
> standard practise to do the following for a program installed by root
> and which will be used by all virtual hosts from a cgi program:
>

Well, tho I am by no means a security wizard myself -as a long-time WinDOS
user the staggering security and permission strategies of *nix had me
gasping for months ;-) - I'd like to give it a try

First off, you need to realise (if you already do, don't be insulted ;-)
that running something ON a machine is entirely different than running a CGI
on a website that resides on that machine...

The permissions for running CGI programs are mostly governed by the web
server software and ITS permissions (i.e. effective user - what it runs AS),
and these permissions hold for any program run BY that CGI prog...it just
passes along its set of permissions to its 'children'.

With the standard Apache that comes with nearly all versions of linux, it
runs as its own user and group (apache) and any CGI scripts run THRU the
webserver are of necessity (and for security!) restricted to those
permissions; generally a user who has read-only access to the web
directories.

> 1. to create a user with no password (hence no remote access), and in
> its own group and
>
> 2. the ownership of the program I installed will be owned by that user
> and part of its group
>

Should be fine, but if it's a CGI and the webserver has to execute it, it
might be simpler to just set these perms and ownerships to the web server
user/group.

> 3. and if the program needs to be run as a daemon to run it as that user
>
> not as root
>

Well - i'd say IF you have to run a daemon as an outside user (for a virtual
website) then using a non-privileged user seems safest - but it might be
more secure to use a daemon that does what you want for multiple users
simultaneously - run that as root and let users connect to it or request
things as users
But this depends on what daemons you mean o'course - i can't think of any
(off-hand) that you'd want to RUN from a CGI script for a virtual web host..

> 4. and if any data files are created to be owned by that user.
>
> for the purposes of security.
>
> I say security because that user has no telnet/ssh/ftp access to the
> server whereas root does and if anyone was able to take advantage of
> security issues related to the said installed program - root would be
> protected.

Hum. Well. The 'security issues' you refer to would be inherent in the said
program right ? so either you're running it insecurely, or it's a bad
program...
BUT more importantly - any half-decent linux or unix distribution will NEVER
allow root access via any network login protocol - this is asking for
trouble...

>
> I ask because I followed the instructions for installing mysql (from a
> mysql book) and this was what is recommended and I was wondering if it
> is standard for all programs.

AFAIK mysql installs itself (mostly) and creates a mysql user to run the
server with - no problems there (no root involved anywhere)
>
> For example now I have the linux stats program webalizer running as root
>
Why would you want to HAVE this running ? its default configuration runs it
periodically (from cron) so you have relatively up-to-date stats for your
web pages
and i think it runs as a normal user...

IF and when you feel you need REALTIME web server analysis, try a stats
server that supports this (analog ?), but it will invariably be more
complicated than webalizer.

> but, if what is stated above is true then I should create its own user
> to own it
> and run it.
>
> Being new to this I need some advice and confirmation of what I stated
> above.
>
> Thanks
> David
>
Well I sure hope any of this helps...

Relevant Pages

  • Re:Re:Deploring *nix Philosophy ( Was Re : Splitting archives across floppies )
    ... 'Desktop Installation' - installation on a single home PC shared by ... sudo or go to root account to wriggle out.Now either I share root password ... again compromising security or go to Windows and do it. ... I am an Economics professional and want to drive my car to workplace, ...
    (Fedora)
  • is it a security problem in Mandrake 9.1???
    ... password......after installation click on any other rpm that is ... to be installed and it goes on smoothely without root ... serious it a security flaw and should be corrected.... ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
    (Security-Basics)
  • Re: is it a security problem in Mandrake 9.1???
    ... > password......after installation click on any other rpm that is ... > to be installed and it goes on smoothely without root ... Red Hat uses a similar session setup. ... notified of a possible security problem in their implementation. ...
    (Security-Basics)
  • How to install a program to run from a cgi - securely - newbie ?
    ... I'm new to web adminstration and installation; so I was wondering is it ... standard practise to do the following for a program installed by root ... I say security because that user has no telnet/ssh/ftp access to the ...
    (comp.os.linux.security)
  • Greetings / Newbie questions
    ... I am having a bit of trouble deciding which to use: Gnome or KDE. ... - Running Totem as Root (I've found that lots of things need to be done ... I have Installed Unreal Tournament 2004 for Linux. ... these current versions to be excellent in terms of ease of installation and ...
    (alt.os.linux.redhat)