cgi-bin security

To: debian-user@lists.debian.org
Subject: cgi-bin security
From: "Thomas R. Shemanske" <trs@hecke.dartmouth.edu>
Date: Sun, 22 Oct 2000 09:06:48 -0400
Message-id: <39F2E668.CA1C420D@hecke.dartmouth.edu>
Reply-to: thomas.r.shemanske@dartmouth.edu
References: <20001022083223.2459.qmail@murphy.debian.org>

I administer a couple of linux machines (potato based), and have a user
which want to run cgi-bin scripts, and I would like to know if there are
security concerns.

Currently all cgi-bin scripts which run are in /usr/lib/cgi-bin and
owned by root.  As far as I can tell Apache is configured to look only
there for such scripts.  My recollection is that is used to be
otherwise.  There is apparently an Apache option to allow users to run
cgi scripts called suEXEC, but this looks like I could open myself for
trouble than it is worth.

On the other hand, there appears to be an easy solution, but I am
unclear as the the security implications.  Here is the proposed
solution.

To allow userX to execute cgi scripts from ~userX/public_html/cgi-bin, 

(As root)
cd /usr/lib/cgi-bin
mkdir userX
cd userX
ln -s ~userX/public_html/cgi-bin cgi-bin

Then userX can access her scripts via http://
hostname/cgi-bin/userX/cgi-bin/script_name.cgi

Since apache runs as www-data, does www-data own the cgi script?  Does
the user own the script?  If the script executes rm -rf /*, what
happens?

Thanks for any advice.

Thomas R. Shemanske
Department of Mathematics
Dartmouth College

Reply to:

Follow-Ups:
- Re: cgi-bin security
  - From: will trillich <will@serensoft.com>
- Re: cgi-bin security
  - From: Olaf Meeuwissen <olaf@epkowa.co.jp>

Prev by Date: Re: Book Recommendations...
Next by Date: Installing tar files
Previous by thread: Re[2]: Really strange problems with package handeling
Next by thread: Re: cgi-bin security
Index(es):
- Date
- Thread