httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Neulinger <nn...@umr.edu>
Subject Re: setuid control WITHOUT running as root
Date Sun, 02 Jun 1996 17:10:03 GMT
> 4) Unfortunately, looking over the wrapper itself, if you do install
>    it with the suid bit on, I do see a problem --- if you can get a
>    process running as 'www', and this wrapper has been installed
>    suid-root, you can then run the wrapper yourself with argv[1] of
>    root and wreak your will.  Possible ways of getting such a process
>    include *non*-suid CGI, and putting a trojan-horse command where it
>    will get run by a maintenance job.  (Ah, the games you can play
>    with 'uucp'...).  At any rate, it seems a little more paranoia
>    is in order here on the part of the wrapper itself.

This is one of the major reasons that CGIwrap does all the checks itself to
verify that the script should indeed be allowed to run... It has to be
configured with information such as who the http server is running as, and
what it considers acceptable in CGI scripts. For example, it won't run a
setuid script, or a script in "nneul"'s directory that is owned by someone
else.

I personally think it would be better to design any CGI modifications
(along the lines of suCGI) without thinking about setuid purposes...

A better approach would be to design along the lines of "CGI execution
filter". Basically saying something like: "Yes, you can run a cgi script in
this directory, but it has to be executed through this filter first."

The filtering could be special purpose setuid tools, such as the backend
for sucgi or CGIwrap, or could be other tools such as usage
accounting/filtering/etc.

This would isolate the Apache server from the major security concerns of
running setuid scripts and such, but at the same time would allow that
functionality to be added much more easily with add-on tools produced by
other people.

This could be extended to be thought of as a "data access filter" - where
accessing certain data could be passed through an external routine to be
accessed.

-- Nathan

------------------------------------------------------------
Nathan Neulinger                  Univ. of Missouri - Rolla
EMail: nneul@umr.edu                  Computing Services
WWW: http://www.umr.edu/~nneul      SysAdmin: rollanet.org



Mime
View raw message