[3693] in WWW Security List Archive
CGI padded cell: cgi-wrap, chroot, and the "nobody shell"
daemon@ATHENA.MIT.EDU (Prentiss Riddle)
Wed Dec 4 16:03:40 1996
From: Prentiss Riddle <riddle@is.rice.edu>
To: www-security@ns2.rutgers.edu
Date: Wed, 4 Dec 1996 12:34:48 -0600 (CST)
Cc: dittrich@cac.washington.edu, nerudas@nationwide.com
In-Reply-To: <32A5889F.5D9B@nationwide.com> from "Steve Neruda" at Dec 4, 96 09:20:15 am
Errors-To: owner-www-security@ns2.rutgers.edu
> From: Dave Dittrich <dittrich@cac.washington.edu>
> To: Andrea Di Fabio <fabio@cs.odu.edu>
> Subject: Re: Hole: nobody shell
>
> Yes, this is a widespread problem. The solution is to run CGI scripts
> as the user's UID, rather than as the server's UID. Until the most
> recent beta of Apache, you had to do this with "wrapper" programs that
> are setuid root and written carefully.
Note that running CGI scripts as a user's UID is only a *partial*
solution. It means that you no longer have to worry about your users
getting "nobody shell" access, but you still have to worry about third
parties getting access to your user's UID (unless you trust your users
never to commit any of the classic CGI programming errors). On most
Unix systems, an outsider could wreak at least as much damage under a
user's UID as under "nobody".
| Date: Wed, 04 Dec 1996 09:20:15 -0500
| From: Steve Neruda <nerudas@nationwide.com>
| To: Brian Harvell <harvell@inet.net>
| Subject: Re: Hole: nobody shell
|
| I really wish that more of the http servers ran in a true change root
| environment (rather than limiting access by config like most servers
| do). This would prevents people from getting to things like xterm
| (though I suppose having Perl in your change rooted area still leaves
| alot of tools toplay with).
Chroot is another partial solution. Chroot only isolates CGI scripts
from the filesystem, not other abusable resources (such as the net
itself). And unless I'm mistaken, it would be quite difficult to run
CGI scripts under users' UIDs *and* run chroot.
Has anybody gotten both cgi-wrap and chroot to work? If so, which
server did you use and were there any other tricks necessary?
I'm also interested in more creative approaches to providing a safe
"padded cell" environment for CGI scripts. Has anyone looked into
server-side Java as a safe CGI medium? I mean "server-side Java" in
the generic sense, not necessarily the product TM'ed under that name.
With Java's (perhaps not flawless) support for aggressive security
models, if might be just the thing for giving CGI scripts the minimal
access rights they need to get a particular job done. I'm sure there
would be other contenders as well (another candidate might be safe
Tcl).
Has anyone looked into this seriously? IMHO, existing web server
software mostly seems to assume that everything is under the control of
a single godlike webmaster. Trying to host multiple CGI projects on a
single server is as risky as hosting multi-user projects on a
single-user operating system.
-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle
-- Home office: 2002-A Guadalupe St. #285, Austin, TX 78705 / 512-323-0708
