On Sun, 26 May 2002 17:34:35 +0200, "Pavel Kankovsky" said: > What happens when an insecure CGI program is installed? > > 1. With suexec, only the account of the idiot who owns the insecure CGI > program is compromised. > 2. Without suexec, the account the daemon and all other CGI programs run > under is compromised. Not necessarily. If the insecure CGI program was running setuid with the UID of the "idiot's" account then option 2 will not endanger the daemon any more than option 1 will. You don't think that I was advocating running CGI programs setuid *root* were you? The setuid scripts in my systems run setuid with the uid of an account specifically set up for that purpose. Usually this is an account with no login shell or home directory, but sometimes not depending on the circumstances. Using this approach then... 1. With suexec every CGI program in this account is a potential source of attack that may possibly write data to the system with the privilege of the account owner. 2. Without suexec, only those relatively few CGI programs that actually need to be setuid can be attacked to write data to the system with the privileges of the account owner. The rest run as nobody. They still need scrutiny but not as much as a setuid script does. If suexec had an option for specifying which CGI programs to run setuid, then I agree that it is a decent wrapper program. Until then, I ain't agonna use it. This thread is getting off topic. The original poster wanted to know why suexec was a security threat in the minds of his ISP. I think that's been answered, it's a threat because every CGI program on that virtual host is run setuid regardless of whether it needs to be or not. If he has the ability to set permissions on his CGI programs, then he can set the setuid/setgid bots on his programs, but needs to be very careful writing them. -- -- Lee E. Brotzman E-mail: lebat_private -- Allied Technology Group Phone : 814-861-5028
This archive was generated by hypermail 2b30 : Tue May 28 2002 - 13:29:32 PDT