On Fri, Jul 07, 2006 at 04:42:47PM -0400, LEE, Yui-wah (Clement) wrote: > Hi, > > This is an experimental package that we built and > evaluate internally (up to this moment). The program > that needs setuid is a cgi-bin program that is invoked > by apache2, which runs as a regular user www-data. The > cgi-bin program however needs to interact with > iptables. You are setting up an iptables interface through a setuid *root* cgi-bin? If so: ! > I know setuid programs are risky but I haven't got the > time to address the security risk yet (one thing at a > time ... :-) I can do the security risk analysis for you: granting remote root through a web server application is a recipe for disaster, those tactics where (or should have been) abandoned ages ago. Either you make really damn sure that the cgi-bin is not exploitable through fascist input data validation and a tight SELinux policy or you remove the setuid bit and try to make the functionality you need through other mechanisms. For example: a cgi-bin that locally communicates with a separate daemon and asks it to "pretty please" setup an iptable rule, if you do this the separate daemon can be very strict in which it permits and can do additional data validation, additionaly, a failure in the cgi-bin (i.e. a buffer overflow or similar programming mistake) does not equal to a remote root compromise (at most a remote www-data although that's bad enough already). Just my 2c. Javier
Attachment:
signature.asc
Description: Digital signature