Re: [Nms-cgi-devel] World r/w able files and directories

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 14 Feb 2002, Olivier Dragon wrote:

> On Thu, Feb 14, 2002 at 09:02:04AM -0800, Wizard wrote:
> > > - putting all possible world r/w files below the document root (or
> > >   above, depending how you see this)
> > This would only work for the .txt files. The HTML must be under the docroot.
>
> Yes I know. But the less r/w files exposed, the better, no? Or is this a
> false sense of pseudo security?
>
> And what about the directories? I've heard of an exploit using something
> like ../../../../../../../../../../../tmp as cgi-input to gain write
> access to a machine. Again, I'm not a security expert and I don't know
> any methods of gaining access to a machine, but it seems to me that the
> more holes plugged, the better.
>

The NMS programs aren't vulnerable to exploits of that sort themselves,
but of course the files are vulnerable to those sort of holes in other
peoples programs running on the same server.

Of course we have no way of knowing about the configuration of any given
webserver - however we probably could have the program files attempt to
chmod themselves 0550 and their data directories 0750 and set a
conservative umask of 0077 for the creation of new files.  This won't save
us on a shared web server where all of the programs for all of the users
run with the same uid but it will buy us some security on dedicated
machines or shared servers where each user has their CGI programs run
SuExec to their own uid.

In the end of the day the programs are only ever going to be as secure as
the servers that they are running on and we can certainly expect that
there are places where they are going to have to be chmod 555 because of
the configuration of the server - we could put an iterative description of
'try 0500, then 0550, then 0555 ...' in the README but I think people are
going to get bored with that very quickly ;-}

/J\
-- 
Jonathan Stowe                      |
<http://www.gellyfish.com>          |      This space for rent
                                    |