Received: by taz.hyperreal.com (8.6.12/8.6.5) id KAA06339;
 Tue, 4 Jun 1996 10:11:14 -0700
Received: from sierra.zyzzyva.com by taz.hyperreal.com (8.6.12/8.6.5) with
 ESMTP id KAA06322; Tue, 4 Jun 1996 10:11:07 -0700
Received: from zyzzyva.com (localhost [127.0.0.1]) by sierra.zyzzyva.com
 (8.7.5/8.6.11) with ESMTP id MAA18938 for <new-httpd@hyperreal.com>;
 Tue, 4 Jun 1996 12:10:58 -0500 (CDT)
Message-Id: <199606041710.MAA18938@sierra.zyzzyva.com>
To: new-httpd@hyperreal.com
Subject: Re: Authentication 
In-reply-to: ben's message of Tue, 04 Jun 1996 17:17:12 +0100.
         <9606041717.aa14662@gonzo.ben.algroup.co.uk>
X-uri: http://www.zyzzyva.com/
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 04 Jun 1996 12:10:57 -0500
From: Randy Terbush <randy@zyzzyva.com>
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

> I've been giving some thought to the authentication question (wrt setuid
> scripts) and it seems to me that it is not possible for the server to prove to
> the setuid program that it is legit by any kind of shared secret, encrypted
> message or anything else of that nature. Why? Because the Bad Guy can examine
> the code to determine the method, and a core dump (or similar) to determine
> any parameters that are needed. He can then write an httpd which runs the
> setuid program using the same method and parameters.
> 
> So, are we sunk? Well, not quite. Assuming that the Bad Guy does _not_ have
> root access (coz after all, if he does, we're sunk anyway) we can check that
> the httpd that ran us was run by an httpd which has a userid of root. I think
> this prevents any direct running of the setuid program and therefore, combined
> with other safeguards already discussed, is as secure as its going to get (and
> is also secure enough).
> 
> Comments?

Of course. :-)

First, how do you trace the linage of the process? getppid() gets a
void argument on Solaris and FreeBSD. The only other way I can get
to this info is via kvm stuff which I don't think is going to be very
portable. Also, since the server does a setuid(safeuser), do we still
have information available that shows it was started as root? I haven't
looked.

I have added the following snippet that should provide a bit more
restrictive area that the hacker can access.


#define DOC_ROOT "/www/docroot"

cwd = getcwd (buf, MAXPATHLEN);

doclen = strlen (DOC_ROOT);
if (strncmp (cwd, DOC_ROOT, doclen))
{
    log_err ("invalid command (%s)\n", cmd);
    exit(105);
}