[cgiwrap-users] RE:
Brought to you by:
nneul
From: Ralph H. <rj...@mo...> - 2001-08-08 14:42:05
|
Thank you Nathan, but let me ask further: Since, in the setup I described, a script called from the /cgi-bin/ dir and run as the server uid does not call or involve cgiwrap, I'm unclear as to how making cgiwrap available for running scripts from another dir could pose a problem. Are you saying that running scripts as the server uid when cgiwrap is also available (from another dir not in the html tree) is a problem, or are you saying that running scripts as the server uid is the problem, regardless of the availability of cgiwrap or suexec? If the latter, well okay, there are trade-offs between security and usability and we all have to decide where to draw the line. But if the former, then I don't understand why (forgive me). Just to be clear: none of our machines run cgiwrapped scripts as the server uid. All wrapped scripts run as the owner of the script as intended by the wrapping. However, users are allowed to run unwrapped scripts as the server uid, but I don't see how anything can then be passed to cgiwrap. Am I missing something here? (Thanks very much for taking the time to respond.) Ralph On Wed, 8 Aug 2001, Neulinger, Nathan wrote: > CGIwrap, and any wrapper for that matter, is basically following the > following logic at it's core: > > A. Am I running as the web server userid? > B. If so, figure out who to run desired script as, and switch to their > userid and run it. > > The presumption is that no one should have access to the server userid. > > Since you're letting someone run as the server id, it could pass ANY data to > cgiwrap, bypassing any authorization checks, and also contaminating the > environment, path, etc. > > If a script is written 100% securely, then this might not be too bad, but > let's just say it's safe to say that it's not a good idea. It's not insecure > by itself, it's just opens up lots of other potential holes. > > -- Nathan > > > -----Original Message----- > > From: Ralph Huntington [mailto:rj...@mo...] > > Sent: Wednesday, August 08, 2001 8:44 AM > > To: Neulinger, Nathan > > Cc: Adrian Parker; cgi...@li... > > Subject: RE: [cgiwrap-users] OpenSRS 2.41 + CGIWrap > > > > > > Well, frankly, no, I didn't realize that. Could you explain > > to us, please, > > how that condition obtains? > > > > i.e., How is running a script as the server uid when cgiwrap > > is present > > different than running a script as the server uid when cgiwrap is not > > present? > > > > And, does it make any difference if the cgiwrap dir is > > outside the html > > tree? > > > > Thank you, Ralph > > > > On Wed, 8 Aug 2001, Neulinger, Nathan wrote: > > > > > Y'all do realize of course that if you are allowing people > > to run scripts as > > > the server userid, you are opening up an ENORMOUS GAPING > > SECURITY HOLE on > > > your server if you are also using cgiwrap or suexec. > > > > > > -- Nathan > > > > > > > -----Original Message----- > > > > From: Ralph Huntington [mailto:rj...@mo...] > > > > Sent: Tuesday, August 07, 2001 3:45 PM > > > > To: Adrian Parker > > > > Cc: cgi...@li... > > > > Subject: Re: [cgiwrap-users] OpenSRS 2.41 + CGIWrap > > > > > > > > > > > > > How do we turn CGIWrap off by directories? I though in > > > > httpd.conf we > > > > > might be able to remove "AddHandler cgi-wrapper .pl" > > and "AddHandler > > > > > cgi-wrapper .cgi" from <VirtualHost *>, but that doesn't seem to > > > > > change anything. > > > > > > > > We solve this for the occasional scripts that give > > problems (AutoCart > > > > comes to mind). We do not use the AddHandler, but rather > > configure two > > > > ScriptAlias'd dirs for each domain. The user can choose where > > > > to put the > > > > script to have it wrapped or not. > > > > > > > > The wrapped dir is named 'cgiwrap' and is in the home dir. > > > > The unwrapped > > > > (cgi-bin) dir is in htdocs. > > > > > > > > Hope this is useful to you or someone. - Ralph > > > > > > > > > > > > _______________________________________________ > > > > cgiwrap-users mailing list > > > > cgi...@li... > > > > http://lists.sourceforge.net/lists/listinfo/cgiwrap-users > > > > > > > > > > _______________________________________________ > > > cgiwrap-users mailing list > > > cgi...@li... > > > http://lists.sourceforge.net/lists/listinfo/cgiwrap-users > > > > > > |