CGI security on a shared web server

From: George Dinwiddie (gdinwiddieat_private)
Date: Thu May 23 2002 - 07:13:14 PDT

Next message: Kurt Seifried: "Re: CGI security on a shared web server"

Previous message: Hoshi Sepai: "Splint - Static C code auditing tool"
Next in thread: Kurt Seifried: "Re: CGI security on a shared web server"
Reply: Kurt Seifried: "Re: CGI security on a shared web server"
Reply: Antonomasia: "Re: CGI security on a shared web server"
Reply: Antonomasia: "Re: CGI security on a shared web server"
Reply: Beatie, Breck (ISSMountain View): "RE: CGI security on a shared web server"
Reply: Martijn de Jong: "RE: CGI security on a shared web server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I am renting server space on a shared machine which runs my site, and
others, as virtual domains on a single instance of Apache.  CGI programs
run under the uid 'nobody', as does the server itself.  This means that
if I want to provide write access to a data file, I must allow world
write access to that file.  It also means that if my CGI program 
creates a data file, that file is owned by 'nobody' and I do not have
full privileges over my own data.  Since the box has multiple 
legitimate users, all users of the box have just as much access to
my data as I do.

To me, this is a problem.  It's both a security problem (protecting
my data) and an administrative problem (changing permissions on
files created by the CGI script).

I've asked the owner of the server to enable the suEXEC feature of
Apache.  The response I've gotten is that this is a security
vulnerability.  Indeed, the Apache docs
(http://httpd.apache.org/docs/suexec.html) warn that "However, if
suEXEC is improperly configured, it can cause any number of problems
and possibly create new holes in your computer's security. If you
aren't familiar with managing setuid root programs and the security
issues they present, we highly recommend that you not consider
using suEXEC." The previous sentence, however, notes that "Used
properly, this feature can reduce considerably the security risks
involved with allowing users to develop and run private CGI or SSI
programs."

I understand that using suEXEC opens my own account up to any
security holes introduced by my own CGI scripts.  I'm certainly
willing to accept that responsibility and risk.

I don't understand what risks there are to the server and 
machine as a whole, such that the server owner should be
reluctant to enable this feature.  Could someone please tell
me what are the risks and how are these risks controlled in
typical "good" use of suEXEC?

 - George

-- 
 ----------------------------------------------------------------------
  George Dinwiddie                             gdinwiddieat_private
  The gods do not deduct from man's allotted span those hours spent in
  sailing.                                    http://www.Alberg30.org/
 ----------------------------------------------------------------------

Next message: Kurt Seifried: "Re: CGI security on a shared web server"
Previous message: Hoshi Sepai: "Splint - Static C code auditing tool"
Next in thread: Kurt Seifried: "Re: CGI security on a shared web server"
Reply: Kurt Seifried: "Re: CGI security on a shared web server"
Reply: Antonomasia: "Re: CGI security on a shared web server"
Reply: Antonomasia: "Re: CGI security on a shared web server"
Reply: Beatie, Breck (ISSMountain View): "RE: CGI security on a shared web server"
Reply: Martijn de Jong: "RE: CGI security on a shared web server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 23 2002 - 12:51:03 PDT