httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Neulinger <nn...@umr.edu>
Subject Re: setuid control WITHOUT running as root
Date Sun, 02 Jun 1996 21:12:58 GMT
> There really isn't much in this wrapper that can be misconfigured.
> I'm for keeping it as simple as possible.

Definately want to keep it as simple as possible...

> Realizing that you (Nathan, the author of CGIWrap) is on the list,
> it would be helpful to have your eyes look this over since you are
> pretty familiar with this type of wrapper.

Looks ok.. I don't see anything in there that is too blatant... I would
reccomend adding in the ability to use syslog for logging though... That's
one less thing that would have to be configured in the sucgi code.

Also, I'm not sure that the vfprintf() call is available everywhere... (Not
positive though.) I seem to remember wanting to use that for cgiwrap and
noticing that it was not available on one of the architectures I was
building for.

> Take another look. It's *very* simple. It does manage to arrest
> the main complaint of my previous suggestions by removing the
> need to run EUID root Apache. I've added a logfile to help catch
> the bad guys and disabled it's ability to execute a setuid(0) or
> setgid(0) request. You can't pass an argument with an absolute
> path. I suppose that refusing to execute symlinks would also be
> in order.

The only additional check I would put in would be requiring that the owner
of the script already match the person you are setuid()'ing to... This
covers people's butt's if they set up stupid permissions on there
directories. Some systems don't always do the change id's correctly, or
don't change both the real and effective id's.

Sure, it doesn't help all systems (chown), but it does help quite a few...

I'd also double check the change of uid/gid, even though it is probably
unnecessary.

If it seems like this module works ok, and no one sees any problems, I'll
probably wind up switching to it myself...

-- Nathan

------------------------------------------------------------
Nathan Neulinger                  Univ. of Missouri - Rolla
EMail: nneul@umr.edu                  Computing Services
WWW: http://www.umr.edu/~nneul      SysAdmin: rollanet.org



Mime
View raw message