Re: A question on setting setuid bit
Thanks for articulating the risk. We will address it
later. The machines involved are experimental
prototypes not production machines.
On Fri, 7 Jul 2006, Javier [iso-8859-1] Fern嫕dez-Sanguino Pe鎙 wrote:
> On Fri, Jul 07, 2006 at 04:42:47PM -0400, LEE, Yui-wah (Clement) wrote:
> > Hi,
> > This is an experimental package that we built and
> > evaluate internally (up to this moment). The program
> > that needs setuid is a cgi-bin program that is invoked
> > by apache2, which runs as a regular user www-data. The
> > cgi-bin program however needs to interact with
> > iptables.
> You are setting up an iptables interface through a setuid *root* cgi-bin?
> If so: !
> > I know setuid programs are risky but I haven't got the
> > time to address the security risk yet (one thing at a
> > time ... :-)
> I can do the security risk analysis for you: granting remote root through a web
> server application is a recipe for disaster, those tactics where (or should
> have been) abandoned ages ago.
> Either you make really damn sure that the cgi-bin is not exploitable through
> fascist input data validation and a tight SELinux policy or you remove the
> setuid bit and try to make the functionality you need through other
> For example: a cgi-bin that locally communicates with a separate daemon and
> asks it to "pretty please" setup an iptable rule, if you do this the separate
> daemon can be very strict in which it permits and can do additional data
> validation, additionaly, a failure in the cgi-bin (i.e. a buffer overflow or
> similar programming mistake) does not equal to a remote root compromise (at
> most a remote www-data although that's bad enough already).
> Just my 2c.