httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Neulinger <nn...@umr.edu>
Subject Re: setuid control WITHOUT running as root
Date Mon, 03 Jun 1996 00:17:23 GMT
> ... all of which can be *very* easily arranged for by an attacker on a
> system with "giveaway" chowns --- out-of-the box SGIs, for one.  (I
> just tried it; gave away a file and its enclosing directory to root.
> Other likely "giftees" include 'bin', 'daemon', and 'uucp').
>
> The key check from cgiwrap that you're missing is that "if I'm running
> it as fred, it has to be in fred's directory".  Not any directory that
> happens to be owned by fred, but the *particular* directory which has
> been specifically designated as fred's cgi-bin.

As an FYI, for users who are wanting to do virtual hosting, the current
version of cgiwrap (3.4) allows remapping of user cgi directories...

So basically, if you want all of a particular virtual hosts cgi stuff to
run as 'fred', just re-map fred's cgi directory to that server's cgi
directory.

-----

In fact, this might be a way to do the virtual hosting with user
settings... Create a new userid, such that    $HOME/public_html/cgi-bin is
actually the virtual hosts cgi-bin directory... Then the same checks can be
used for personal user CGIs and for virtual host CGIs.

-- Nathan

------------------------------------------------------------
Nathan Neulinger                  Univ. of Missouri - Rolla
EMail: nneul@umr.edu                  Computing Services
WWW: http://www.umr.edu/~nneul      SysAdmin: rollanet.org



Mime
View raw message