Re: cgiemail installs owned by root in /usr/lib/cgi-bin

[Antonio Rodriguez <arodriguez31@cfl.rr.com>]

On Mon, Nov 29, 2004 at 12:49:30AM +0200, Black Dew wrote:
> Antonio Rodriguez wrote:
> >I noticed that when installing cgiemail it is set  as owned by root,
> >same as other scripts simultaneously installed in /usr/lib/cgi-bin
> >I figure this is right, I would be surprised if i were the first
> >finding a bug, but I don't see why it makes it safer than installing
> >it as owned by www-data:www-data. Can anyone answer this? Are all the
> >scripts here supposed to belong to root?
> 
> That prevents a compromised web server/script from overwriting some script.
> 
> Same is generally a good idea for anything that the web server needs to 
> access but has no valid reason to modify.
> 
> Note that files can be either owned by root:whatever and be word 
> readable (644) or owned by root:www-data and set group readable (640).
> Setting them owned by www-data:www-data with no write permisions (440) 
> is useless as a compromised script can eassily chmod it to whatever it 
> likes.
> 

Thank you for your explanation. I had just read some comments in the
metafaq for cgi by Lincoln Stein, see
http://www.w3.org/Security/Faq/wwwsf4.html question 20
before installing cgiemail and ls-ing cgi-bin ....

I wrote below a few statements about the logic for being root
owned. Any comments are welcome.

The danger of being root owned would be in the fact that it can
virtually do anything. If the script does only useful/good/harmless
things then it doesn't matter who executes it. To modify it to make it
do bad/harmful things, the black/brown hat hacker would need to have
write permissions over the script. This means the (b/b)hh would have
to be root. But then the (b/b)hh would not need the script.