httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <>
Subject Re: SetUID once again
Date Tue, 26 Mar 1996 02:07:52 GMT
Robert S. Thau wrote:
>   The way CGIWRAP does this is that it looks only in that person's
>   directory, makes sure that the directory and the file are owned by
>   the same person (and even same group if you want) and only then
>   executes. Thus, to run a 'root' script, I need to be able to write to
>   roots HOME in the first place to plop my script there.
> Could you go into a bit more detail about how this scheme works?  
> In particular, when you say that CGIWRAP looks only in "that person's
> directory", do you mean that it will execute CGI scripts only from
> the owner's actual home directory, or from subdirectories as well?

The 'cgiwrap' program is placed in the cgi-bin directory and it SUID
root. Hardwired into cgiwrap is the location of the user's cgi-bin
directory, relative to their home directory. Using the "standard" setup,
cgiwrap expects user cgi-scripts to be located in ~user/public_html/cgi-bin

Thus, when a user calls the script using: /cgi-bin/cgiwrap/~user/script
cguwrap does a 'chdir()' to ~user/public_html/cgi-bin. It then checks the
owner of that directory and the owner of the script 'script' against
'user'. If the same (and possibly also the same group: it's a compile-time
option), cgiwrap will SUID 'user' and then exec the script.

'cgiwrap' does other checks like sanitising username and script input,
not allowing sub-directories, calling initgroups() if required, etc...

Jim Jagielski  << >>   |      "That's a Smith & Wesson,
  **  jaguNET Access Services  **      |       and you've had your six" 
      Email:          |             - James Bond
++         +++      Voice/Fax: 410-931-3157       ++

View raw message