httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Robert S. Thau)
Subject Re: SetUID once again
Date Tue, 26 Mar 1996 00:32:16 GMT
  The way CGIWRAP does this is that it looks only in that person's
  directory, makes sure that the directory and the file are owned by
  the same person (and even same group if you want) and only then
  executes. Thus, to run a 'root' script, I need to be able to write to
  roots HOME in the first place to plop my script there.

Could you go into a bit more detail about how this scheme works?  
In particular, when you say that CGIWRAP looks only in "that person's
directory", do you mean that it will execute CGI scripts only from
the owner's actual home directory, or from subdirectories as well?

The reason I ask is because on some systems, root's home directory
is '/', meaning that every file in the system is in a subdirectory
of root's home directory.

(That's only half the check you describe, of course; you still have to
find a publically writable directory owned by root to put the
"giveaway" script in, assuming that SYSV chown won't let you give away
directories.  Depending on how the system is set up, that may or may
not be hard --- /tmp and /usr/tmp would be the first places I'd look,
with /usr/spool being another source of likely candidates, but
sometimes they're owned by "bin", "maint", or "uucp").


View raw message