[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: A question on setting setuid bit

On Fri, Jul 07, 2006 at 04:42:47PM -0400, LEE, Yui-wah (Clement) wrote:
> Hi,
> This is an experimental package that we built and
> evaluate internally (up to this moment).  The program
> that needs setuid is a cgi-bin program that is invoked
> by apache2, which runs as a regular user www-data.  The
> cgi-bin program however needs to interact with
> iptables.

You are setting up an iptables interface through a setuid *root* cgi-bin?
If so: !

> I know setuid programs are risky but I haven't got the
> time to address the security risk yet (one thing at a
> time ... :-)

I can do the security risk analysis for you: granting remote root through a web
server application is a recipe for disaster, those tactics where (or should
have been) abandoned ages ago. 

Either you make really damn sure that the cgi-bin is not exploitable through
fascist input data validation and a tight SELinux policy or you remove the
setuid bit and try to make the functionality you need through other

For example: a cgi-bin that locally communicates with a separate daemon and
asks it to "pretty please" setup an iptable rule, if you do this the separate
daemon can be very strict in which it permits and can do additional data
validation, additionaly, a failure in the cgi-bin (i.e. a buffer overflow or
similar programming mistake) does not equal to a remote root compromise (at
most a remote www-data although that's bad enough already).

Just my 2c.


Attachment: signature.asc
Description: Digital signature

Reply to: