httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Doug McNutt <dougl...@macnauchtan.com>
Subject Re: [users@httpd] Running cgi binaries as root
Date Thu, 26 Jan 2012 18:51:29 GMT
At 09:56 -0500 1/26/12, Mark Montague wrote, and I snipped a bunch:
>On January 26, 2012 2:50 , Tarzan Jane <mailto:lapierre62@hotmail.com><lapierre62@hotmail.com>
wrote:
>
>>Concerning the security I believe when using binary scripts, security is increased
some levels. Since the cgi binaries are no longer acsii files, injecting or altering code
is hardly possible. The only way to breach security is to replace the binary itself. And for
that you need to know which type of processor is being used to produce the correct executable.
I can tell it's not Intel or AMD......
>>If I overlook something concering security please let me know.
>>
>
>If you use binary executable instead of interpreted scripts, it's true that you eliminate
some security concerns.  For example, the attacker cannot provide high level code for the
binary to interpret at runtime unless the binary contains its own interpreter for some reason
(or invokes an external interpreter, which you may not be aware of in all cases).  However,
there are still many security concerns which still exist.  And there are types of attacks
that binary executables are *more* vulnerable to than scripts -- for example, buffer overflow
and/or stack smashing attacks.


What about cgiwrap ?  Is it still supported?  Can it do the job?  I know it's not a perfect
solution but at least it's an attempt.
-- 

-->  Halloween  == Oct 31 == Dec 25 == Christmas  <--

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message