[1643] in WWW Security List Archive
Re: CGI Scripts and Permissions
daemon@ATHENA.MIT.EDU (Liz Stokes)
Thu Mar 14 18:36:47 1996
From: Liz Stokes <ilaine@panix.com>
To: paulp@cerf.net (Paul Phillips)
Date: Thu, 14 Mar 1996 14:49:05 -0500 (EST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SUN.3.91.960314093703.26309A-100000@nic.cerf.net> from "Paul Phillips" at Mar 14, 96 09:38:59 am
Errors-To: owner-www-security@ns2.rutgers.edu
Paul Phillips wrote:
>
>
>
> On Thu, 14 Mar 1996, Liz Stokes wrote:
>
> > I hacked our server to run scripts as the uid of the owner. It gives the
> > same effect as wrappers without the overhead.
>
> [...] but with the added bonus that you get to run it as root all the
> time so it can switch UIDs.
What? Nonsense. It does a seteuid instead of a setuid at the outset and
runs as 'web'. If it is going to exec a script it first sets uid back to 0,
if that fails it dies. If successful, it does a setuid (not euid) to the
script owner (unless that is 0 of course) also dying on failure. Only if
uid == ownerid does it agree to exec.
--
Liz Stokes
ilaine@panix.com
