Re: FW: [cgiwrap-users] a potential security problem
Brought to you by:
nneul
Menu
▾
▴
Re: FW: [cgiwrap-users] a potential security problem
|
From: Nathan N. <nn...@um...> - 2002-05-29 03:02:35
|
CGIWrap has NOTHING to do with password checking! And like I said before - the userid that cgiwrap executes script under has absolutely nothing to do with userids in htpasswd files. That is PURELY an issue of remote access control for what remote web clients are allowed to request that the server execute a particular cgi script. The _ONLY_ thing that .htpasswd/.htaccess do is determine whether or not a cgi script is executed, and what the value of the REMOTE_USER environment variable will be. It has nothing to do with what uid the script runs as. CGIwrap will not normally ever _run_ a script as root. It switches to the owner of the script before executing it. I highly recommend that you contact your local system administrator/expert to explain setuid executables, apache configuration, and how cgi scripts function. -- Nathan On Tue, 2002-05-28 at 21:56, Jiang, Hai Dong (Harry) wrote: > Nathan: > And we suppose web server owner is a bad buy! > When he access web as root , cgiwrap will switch it to real root on unix > server side. > Then he can do anything root can do on server,right? > Till now, cgiwrap will not check the root password on unix , it only check > .htpasswd, right? > > harry > > > -----Original Message----- > From: Jiang, Hai Dong (Harry) > Sent: 2002?5?29? 10:40 > To: 'Nathan Neulinger' > Subject: RE: [cgiwrap-users] a potential security problem > > Nathan: > But I do not know why the example I raised do damage to my unix server? > I write a program called rmallfiles.pl (set 755 and owner is harry , web > server owner)like that: > rm -rf /home/notharry > > then I put it into /cgi-bin/. > I access from web and input user as root. Input > http://*.*.*.*:8080/cgi-bin/cgiwrap/rmallfiles.pl > > Then all my files reside in /home/notharry lost. > > Why? > > harry > > -----Original Message----- > From: Nathan Neulinger [mailto:nn...@um...] > Sent: 2002?5?29? 10:31 > To: Jiang, Hai Dong (Harry) > Cc: cgi...@li... > Subject: RE: [cgiwrap-users] a potential security problem > > On Tue, 2002-05-28 at 21:26, Jiang, Hai Dong (Harry) wrote: > > Nathan: > > Thank you very much for your prompt response! > > > > I notice a line in cgiwrap.c: > > > > ChangeID(user); > > > > So I think the cgiwrap should be owned by root , is it right? > > That is , cgiwrap should by setuid by root (4755 mod and owner is root) ? > > > > For example, the web server owner is harry. > > 1. he setup a web user in conf/.htpasswd called root. > > 2. And he put malicious program on cgi-bin/ call rmallfiles.pl > > 3. he access web as root > > 4. URL is http://*.*.*.*:8080/cgiwrap/cgi-bin/rmallfiles.pl > > > > It is exemple for potential security. > > users in .htpasswd have nothing to do with unix userids that processes > run under. > > > harry > > > > -----Original Message----- > > From: Nathan Neulinger [mailto:nn...@um...] > > Sent: 2002?5?29? 9:50 > > To: Jiang, Hai Dong (Harry) > > Cc: cgi...@li... > > Subject: Re: [cgiwrap-users] a potential security problem > > > > Unless you configured cgiwrap to allow executing scripts as root, this > > is not the case. > > > > Even still - it doesn't do you any good, since you'd still have to have > > root or specific-user permissions to install scripts into the users cgi > > directories. > > > > Please be more specific if this doesn't answer your question. > > > > -- Nathan > > > > On Tue, 2002-05-28 at 20:44, Jiang, Hai Dong (Harry) wrote: > > > All, > > > I wonder if cgiwrap have security problem?? > > > If web server owner's password is known by malicious guys, he can setup > a > > > user call root and put some malicous program on web server , then he can > > > access and execute these program as root from web . because cgiwrap > does > > > not check the unix password for web user . > > > Is it a potential security problem? > > > > > > harry > > > > > > > > > _______________________________________________________________ > > > > > > Don't miss the 2002 Sprint PCS Application Developer's Conference > > > August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm > > > > > > _______________________________________________ > > > cgiwrap-users mailing list > > > cgi...@li... > > > https://lists.sourceforge.net/lists/listinfo/cgiwrap-users > > -- > > > > > > ------------------------------------------------------------ > > Nathan Neulinger EMail: nn...@um... > > University of Missouri - Rolla Phone: (573) 341-4841 > > Computing Services Fax: (573) 341-4216 > -- > > > ------------------------------------------------------------ > Nathan Neulinger EMail: nn...@um... > University of Missouri - Rolla Phone: (573) 341-4841 > Computing Services Fax: (573) 341-4216 -- ------------------------------------------------------------ Nathan Neulinger EMail: nn...@um... University of Missouri - Rolla Phone: (573) 341-4841 Computing Services Fax: (573) 341-4216 |
