Re: cgi-bin security

To: debian-user@lists.debian.org
Subject: Re: cgi-bin security
From: will trillich <will@serensoft.com>
Date: Sun, 22 Oct 2000 14:23:20 -0500
Message-id: <20001022142320.A28762@mail.serensoft.com>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <39F2E668.CA1C420D@hecke.dartmouth.edu>; from trs@hecke.dartmouth.edu on Sun, Oct 22, 2000 at 09:06:48AM -0400
References: <20001022083223.2459.qmail@murphy.debian.org> <39F2E668.CA1C420D@hecke.dartmouth.edu>

On Sun, Oct 22, 2000 at 09:06:48AM -0400, Thomas R. Shemanske wrote:
> I administer a couple of linux machines (potato based), and have a user
> which want to run cgi-bin scripts, and I would like to know if there are
> security concerns.
> 
> Currently all cgi-bin scripts which run are in /usr/lib/cgi-bin and
> owned by root.  As far as I can tell Apache is configured to look only
> there for such scripts.  My recollection is that is used to be
> otherwise.  There is apparently an Apache option to allow users to run
> cgi scripts called suEXEC, but this looks like I could open myself for
> trouble than it is worth.
> 
> On the other hand, there appears to be an easy solution, but I am
> unclear as the the security implications.  Here is the proposed
> solution.
> 
> To allow userX to execute cgi scripts from ~userX/public_html/cgi-bin, 

	<DirectoryMatch ^/home/.*/public_html>
		order allow,deny
		allow from all
		Options +Indexes +Includes -FollowSymLinks
	</DirectoryMatch>
	<DirectoryMatch ^/home/.*/public_html/cgi>
		Options +ExecCGI
		SetHandler cgi-script
	</DirectoryMatch>

or maybe

	<DirectoryMatch ^/home/.*/public_html>
		<FilesMatch "\.cgi$">
			Options +ExecCGI
			SetHandler cgi-script
		</FilesMatch>
	</DirectoryMatch>

there are other methods (tmtowtdi). don't cut & paste
unless you understand the security implications!

> Then userX can access her scripts via http://
> hostname/cgi-bin/userX/cgi-bin/script_name.cgi

better yet, http://server.name.here/~username/cgi/scripts  or
http://the.server/~login/something.cgi  respectively.

> Since apache runs as www-data, does www-data own the cgi script?  Does
> the user own the script?  If the script executes rm -rf /*, what
> happens?

users should have ownership of their own scripts, so that their
scripts can do no more damage than they can at the shell. also
be conscious of group membership for your users, and the consequences.

	% groups someusername
		see who's in which groups
	# usermod
		change default and auxiliary groups for any user (as root)
	% ls -l directory/
		see user/group ownership per file

-- 
self-reference, n: see self-reference.

will@serensoft.com   ***   http://www.dontUthink.com/

Reply to:

References:
- cgi-bin security
  - From: "Thomas R. Shemanske" <trs@hecke.dartmouth.edu>

Prev by Date: Re: TO ALL!
Next by Date: Idea: Master Debian FAQ (newbie-centric)
Previous by thread: cgi-bin security
Next by thread: Re: cgi-bin security
Index(es):
- Date
- Thread