Thread: [cgiwrap-users] A begginer's question about "security checks"
Brought to you by:
nneul
From: Ali G. <gha...@gm...> - 2011-08-20 01:56:22
|
Hello world! I just found cgiwrapper, I was reading this page. at the end of first paragraph it says "...In addition, several security checks are performed on the script, which will not be executed if any checks fail. " I counld'nt find anything about those "security checks". i'd appreciate it if you guys help me with a link or any details. -- Sincerely A. Ghanavatian <http://www.google.com/profiles/ghanavatian.ali> |
From: Nathan N. <nn...@ne...> - 2011-08-22 13:17:47
|
Mainly stuff like whether the script is setuid, or has improper permissions (i.e. 777) or isn't owned by the same user as the account it would be running as. -- Nathan On 08/19/2011 08:55 PM, Ali Ghanavatian wrote: > Hello world! > I just found cgiwrapper, I was reading this page. at the end of first paragraph it says "...In addition, several > security checks are performed on the script, which will not be executed if any checks fail. " > > I counld'nt find anything about those "security checks". i'd appreciate it if you guys help me with a link or any details. > > -- > Sincerely > A. Ghanavatian <http://www.google.com/profiles/ghanavatian.ali> > > > > ------------------------------------------------------------------------------ > Get a FREE DOWNLOAD! and learn more about uberSVN rich system, > user administration capabilities and model configuration. Take > the hassle out of deploying and managing Subversion and the > tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 > > > > _______________________________________________ > cgiwrap-users mailing list > cgi...@li... > https://lists.sourceforge.net/lists/listinfo/cgiwrap-users -- ------------------------------------------------------------ Nathan Neulinger nn...@ne... Neulinger Consulting (573) 612-1412 |
From: Ali G. <gha...@gm...> - 2011-08-22 13:23:56
|
allright, correct me if I'm wrong: I can't run a perl/script which executes "/sbin/*" stuff like "/sbin/iptables" using this wrapper, unless I change the owner of all "cgi-bin/*" scripts to "root". On Mon, Aug 22, 2011 at 5:47 PM, Nathan Neulinger <nn...@ne...>wrote: > Mainly stuff like whether the script is setuid, or has improper permissions > (i.e. 777) or isn't owned by the same user as the account it would be > running as. > > -- Nathan > > On 08/19/2011 08:55 PM, Ali Ghanavatian wrote: > >> Hello world! >> I just found cgiwrapper, I was reading this page. at the end of first >> paragraph it says "...In addition, several >> security checks are performed on the script, which will not be executed if >> any checks fail. " >> >> I counld'nt find anything about those "security checks". i'd appreciate it >> if you guys help me with a link or any details. >> >> -- >> Sincerely >> A. Ghanavatian <http://www.google.com/**profiles/ghanavatian.ali<http://www.google.com/profiles/ghanavatian.ali> >> > >> >> >> >> ------------------------------**------------------------------** >> ------------------ >> Get a FREE DOWNLOAD! and learn more about uberSVN rich system, >> user administration capabilities and model configuration. Take >> the hassle out of deploying and managing Subversion and the >> tools developers use with it. http://p.sf.net/sfu/wandisco-**d2d-2<http://p.sf.net/sfu/wandisco-d2d-2> >> >> >> >> ______________________________**_________________ >> cgiwrap-users mailing list >> cgiwrap-users@lists.**sourceforge.net<cgi...@li...> >> https://lists.sourceforge.net/**lists/listinfo/cgiwrap-users<https://lists.sourceforge.net/lists/listinfo/cgiwrap-users> >> > > -- > ------------------------------**------------------------------ > Nathan Neulinger nn...@ne... > Neulinger Consulting (573) 612-1412 > -- Sincerely A. Ghanavatian <http://www.google.com/profiles/ghanavatian.ali> |
From: Nathan N. <nn...@ne...> - 2011-08-22 13:26:58
|
No - the whole point is to run the scripts with individual user level permissions. You probably should seek some assistance from a knowledgeable admin for how to do it securely. For limited admin functionality, you most likely will want to use sudo with a NOPASSWD entry for the SPECIFIC commands that you want to use from the cgi script, but even with that you need to be very careful with how you do it or you're going to open up security holes. -- Nathan On 08/22/2011 08:23 AM, Ali Ghanavatian wrote: > allright, correct me if I'm wrong: I can't run a perl/script which executes "/sbin/*" stuff like "/sbin/iptables" using > this wrapper, unless I change the owner of all "cgi-bin/*" scripts to "root". > > > On Mon, Aug 22, 2011 at 5:47 PM, Nathan Neulinger <nn...@ne... <mailto:nn...@ne...>> wrote: > > Mainly stuff like whether the script is setuid, or has improper permissions (i.e. 777) or isn't owned by the same > user as the account it would be running as. > > -- Nathan > > On 08/19/2011 08:55 PM, Ali Ghanavatian wrote: > > Hello world! > I just found cgiwrapper, I was reading this page. at the end of first paragraph it says "...In addition, several > security checks are performed on the script, which will not be executed if any checks fail. " > > I counld'nt find anything about those "security checks". i'd appreciate it if you guys help me with a link or > any details. > > -- > Sincerely > A. Ghanavatian <http://www.google.com/__profiles/ghanavatian.ali <http://www.google.com/profiles/ghanavatian.ali>> > > > > ------------------------------__------------------------------__------------------ > Get a FREE DOWNLOAD! and learn more about uberSVN rich system, > user administration capabilities and model configuration. Take > the hassle out of deploying and managing Subversion and the > tools developers use with it. http://p.sf.net/sfu/wandisco-__d2d-2 <http://p.sf.net/sfu/wandisco-d2d-2> > > > > _________________________________________________ > cgiwrap-users mailing list > cgiwrap-users@lists.__sourceforge.net <mailto:cgi...@li...> > https://lists.sourceforge.net/__lists/listinfo/cgiwrap-users > <https://lists.sourceforge.net/lists/listinfo/cgiwrap-users> > > > -- > ------------------------------__------------------------------ > Nathan Neulinger nn...@ne... <mailto:nn...@ne...> > Neulinger Consulting (573) 612-1412 > > > > > -- > Sincerely > A. Ghanavatian <http://www.google.com/profiles/ghanavatian.ali> > -- ------------------------------------------------------------ Nathan Neulinger nn...@ne... Neulinger Consulting (573) 612-1412 |
From: Ali G. <gha...@gm...> - 2011-08-22 13:29:36
|
now I see. thank you. On Mon, Aug 22, 2011 at 5:56 PM, Nathan Neulinger <nn...@ne...>wrote: > No - the whole point is to run the scripts with individual user level > permissions. You probably should seek some assistance from a knowledgeable > admin for how to do it securely. > > For limited admin functionality, you most likely will want to use sudo with > a NOPASSWD entry for the SPECIFIC commands that you want to use from the cgi > script, but even with that you need to be very careful with how you do it or > you're going to open up security holes. > > -- Nathan > > > On 08/22/2011 08:23 AM, Ali Ghanavatian wrote: > >> allright, correct me if I'm wrong: I can't run a perl/script which >> executes "/sbin/*" stuff like "/sbin/iptables" using >> this wrapper, unless I change the owner of all "cgi-bin/*" scripts to >> "root". >> >> >> On Mon, Aug 22, 2011 at 5:47 PM, Nathan Neulinger <nn...@ne...<mailto: >> nn...@ne...>> wrote: >> >> Mainly stuff like whether the script is setuid, or has improper >> permissions (i.e. 777) or isn't owned by the same >> user as the account it would be running as. >> >> -- Nathan >> >> On 08/19/2011 08:55 PM, Ali Ghanavatian wrote: >> >> Hello world! >> I just found cgiwrapper, I was reading this page. at the end of >> first paragraph it says "...In addition, several >> security checks are performed on the script, which will not be >> executed if any checks fail. " >> >> I counld'nt find anything about those "security checks". i'd >> appreciate it if you guys help me with a link or >> any details. >> >> -- >> Sincerely >> A. Ghanavatian <http://www.google.com/__**profiles/ghanavatian.ali<http://www.google.com/__profiles/ghanavatian.ali>< >> http://www.google.com/**profiles/ghanavatian.ali<http://www.google.com/profiles/ghanavatian.ali> >> >> >> >> >> >> >> ------------------------------**__----------------------------** >> --__------------------ >> Get a FREE DOWNLOAD! and learn more about uberSVN rich system, >> user administration capabilities and model configuration. Take >> the hassle out of deploying and managing Subversion and the >> tools developers use with it. http://p.sf.net/sfu/wandisco-_** >> _d2d-2 <http://p.sf.net/sfu/wandisco-__d2d-2> < >> http://p.sf.net/sfu/wandisco-**d2d-2 <http://p.sf.net/sfu/wandisco-d2d-2> >> > >> >> >> >> ______________________________**___________________ >> cgiwrap-users mailing list >> cgiwrap-users@lists.__sourcefo**rge.net <http://sourceforge.net><mailto: >> cgiwrap-users@lists.**sourceforge.net<cgi...@li...> >> > >> >> https://lists.sourceforge.net/**__lists/listinfo/cgiwrap-users<https://lists.sourceforge.net/__lists/listinfo/cgiwrap-users> >> <https://lists.sourceforge.**net/lists/listinfo/cgiwrap-**users<https://lists.sourceforge.net/lists/listinfo/cgiwrap-users> >> > >> >> >> -- >> ------------------------------**__----------------------------**-- >> Nathan Neulinger nn...@ne... <mailto:nn...@ne...> >> >> Neulinger Consulting (573) 612-1412 >> >> >> >> >> -- >> Sincerely >> A. Ghanavatian <http://www.google.com/**profiles/ghanavatian.ali<http://www.google.com/profiles/ghanavatian.ali> >> > >> >> > -- > ------------------------------**------------------------------ > > Nathan Neulinger nn...@ne... > Neulinger Consulting (573) 612-1412 > -- Sincerely A. Ghanavatian <http://www.google.com/profiles/ghanavatian.ali> |