httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: Restricting types of CGI programs
Date Fri, 02 Aug 2002 08:50:05 GMT
>From: Lee [mailto:lee@unassemble.co.uk]
>
>I would like to try and restrict the types of CGI scripts that 
>can be run
>from my webserver (Apache 1.3.26  & 1.3.26 with mod_ssl 
>running on FreeBSD
>4.6).  Does anyone know if this is possible?
>Basically I want to restrict users to only being able to run 
>Perl scripts.

I can't think of an easy way to do this... The CGI engine just grabs the file and passes it
to the OS which tries to execute it - whether it loads an interpreter (perl or shell-script)
or executes it directly (compiled binary) depends on the file contents. Apache deson't have
the capability to look into the file and recognise its architecture.

A workaround would be to write a program which would:

- parse httpd.conf to find the locations of all CGI progs (ScriptAlias or AddHandler lines)
- read each CGI prog and, using clever pattern matching, decide if it is a "legal" program
- if it finds an "illegal" program, remove it, or (less draconian) switch off the execute
permission and alert the admin (You).

This monitor program could be invoked to run every minute by crond or could be a daemon...

Presumably you want to do this so you can audit their code and check they are not doing anything
dangerous? Be warned that anything you can do in C, you can do in Perl - there is nothing
intrinsically "safe" about Perl. Also, regards readability, there used to be a competition
in the Perl Journal where contestants had to write a program which looked like it did one
thing but, in fact, did another. Failing that, they got points for a program which was impossible
to read. This was the Obfuscated Perl Contest. So I wouldn't be too confident that you will
always be able to screen out dodgy code - it is quite easy to make write-only Perl :-)

Rgds,

Owen Boyle 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message