httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Robert S. Thau)
Subject Re: setuid control WITHOUT running as root
Date Mon, 03 Jun 1996 00:04:37 GMT
  IF you can become 'www', then you will be able to be a bad guy.

For the n'th time, I can't accept that.

  The checks in can_exec(), (which I am about to put in sucgi.c) make
  sure that:

  * the script is owned by the UID that is being switched to.
  * the directory that it resides in is also owned by that UID.
  * the directory is not writable by anyone but the owner.
  * that the file is not already setuid.

... all of which can be *very* easily arranged for by an attacker on a
system with "giveaway" chowns --- out-of-the box SGIs, for one.  (I
just tried it; gave away a file and its enclosing directory to root.
Other likely "giftees" include 'bin', 'daemon', and 'uucp').

The key check from cgiwrap that you're missing is that "if I'm running
it as fred, it has to be in fred's directory".  Not any directory that
happens to be owned by fred, but the *particular* directory which has
been specifically designated as fred's cgi-bin.


View raw message