Re: [cgiwrap-users] Get uid/gid from file-owner
Brought to you by:
nneul
Menu
▾
▴
Re: [cgiwrap-users] Get uid/gid from file-owner
|
From: <web...@du...> - 2000-11-10 04:56:06
|
This would open up some serious security holes. It would effectively make every executable file setuid. If that doesn't bother you, remember that cgiwrap can be called from the command line, too: $export PATH_INFO=/bin/sh $cgiwrap # The real exploit would be slightly more complex than that, but not much. You can restrict execution to /home and check for symlinks, but you can still run other user's scripts setuid. Basically, in order to make this secure, you'd need to lose flexibility in lots of other areas of cgiwrap. -mike > > Hi. > > I've already sent this mail to Piotr Klaban and he suggested me to send this > to the mailing-list... and here it is now :) > > feature-request: > ----- > I can't code C. If so I would do it on my own, but here is me suggestion: > > Whats about adding a feature so cgiwrap gets the UID it should degrate > itself to from the uid of the file it executes? So there is no more need for > 'username' in 'cgiwrap/username/filename.cgi'. Just 'cgiwrap/filename.cgi'. > > This is how i'm doing it at the moment: > > ScriptAlias /cgi-cgiwrap/ /usr/cgiwrap/ > > <virtualhost ...> > [..] > Action cgi-wrapper /cgi-cgiwrap/cgiwrap/username/www > AddHandler cgi-wrapper .cgi > [..] > </virtualhost> > > these two lines wouldn't be necessary if cgiwrap would get the uid it should > degrade itself to from the uid of the file-owner (and maybe the gid too). > ----- > > greetings, > > daniel > _______________________________________________ > cgiwrap-users mailing list > cgi...@li... > http://lists.sourceforge.net/mailman/listinfo/cgiwrap-users > -- Mike Glover web...@du... Duluoz Networks http://www.duluoz.net |
