Re: cgi-bin security

Sun, 22 Oct 2000 14:28:38 -0500 

On Sun, Oct 22, 2000 at 09:06:48AM -0400, Thomas R. Shemanske wrote:
> I administer a couple of linux machines (potato based), and have a user
> which want to run cgi-bin scripts, and I would like to know if there are
> security concerns.
> 
> Currently all cgi-bin scripts which run are in /usr/lib/cgi-bin and
> owned by root.  As far as I can tell Apache is configured to look only
> there for such scripts.  My recollection is that is used to be
> otherwise.  There is apparently an Apache option to allow users to run
> cgi scripts called suEXEC, but this looks like I could open myself for
> trouble than it is worth.
> 
> On the other hand, there appears to be an easy solution, but I am
> unclear as the the security implications.  Here is the proposed
> solution.
> 
> To allow userX to execute cgi scripts from ~userX/public_html/cgi-bin, 

        <DirectoryMatch ^/home/.*/public_html>
                order allow,deny
                allow from all
                Options +Indexes +Includes -FollowSymLinks
        </DirectoryMatch>
        <DirectoryMatch ^/home/.*/public_html/cgi>
                Options +ExecCGI
                SetHandler cgi-script
        </DirectoryMatch>

or maybe

        <DirectoryMatch ^/home/.*/public_html>
                <FilesMatch "\.cgi$">
                        Options +ExecCGI
                        SetHandler cgi-script
                </FilesMatch>
        </DirectoryMatch>

there are other methods (tmtowtdi). don't cut & paste
unless you understand the security implications!

> Then userX can access her scripts via http://
> hostname/cgi-bin/userX/cgi-bin/script_name.cgi

better yet, http://server.name.here/~username/cgi/scripts  or
http://the.server/~login/something.cgi  respectively.

> Since apache runs as www-data, does www-data own the cgi script?  Does
> the user own the script?  If the script executes rm -rf /*, what
> happens?

users should have ownership of their own scripts, so that their
scripts can do no more damage than they can at the shell. also
be conscious of group membership for your users, and the consequences.

        % groups someusername
                see who's in which groups
        # usermod
                change default and auxiliary groups for any user (as root)
        % ls -l directory/
                see user/group ownership per file

-- 
self-reference, n: see self-reference.

[EMAIL PROTECTED]   ***   http://www.dontUthink.com/

Reply via email to