httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Re: setuid control WITHOUT running as root
Date Sun, 02 Jun 1996 17:45:56 GMT
  A better approach would be to design along the lines of "CGI execution
  filter". Basically saying something like: "Yes, you can run a cgi script in
  this directory, but it has to be executed through this filter first."

Hmmm... AddHandler may already allow for this, via something like

  <Directory target>
  AddHandler wrapped-cgi cgi
  Action wrapped-cgi /my/cgi/wrapper
  </Directory>

(or you could use an AddType and an httpd/wrapped-cgi MIME type ---
apologies to all if I got the syntax on these things wrong).

What the suCGI approach does by you, which is a real convenience in
some cases, is tighter integration with the rest of the server's
configuration machinery, at the cost of putting the entire thing,
including third-party modules, in your security kernel (a term of
art for "the code you have to trust" --- and yes, we are already
trusting the server not to give away 'www' to outsiders, but we don't
yet have to trust it not to give away one users' privileges to another,
where both already have access to the machine.  The latter is the new
risk here, and I'm evaluating everything relative to it).

However, in order for that to really work, the server does need a way
to authenticate itself to the wrapper.  I can think of a few
approaches off the top of my head, of which the neatest is to just
have the server digitally sign the pathname it is trying to exec, and
put the signature in an environment variable.  Unfortunately, that
runs afoul of patent protection.

There are also approaches you could use along the lines of HTTP digest
auth, but those rely on the server and wrapper having a shared secret
(e.g., 32 bits of random data chosen by the server on startup).  Not
only is management of that secret a bit tricky, but as Netscape found
out to their chagrin, generating 32 bits of truly random data on a
Unix box is difficult to begin with, particularly if the potential
attackers have access to the innards of the box.

rst


Mime
View raw message