[3695] in WWW Security List Archive
Re: CGI padded cell: cgi-wrap, chroot, and the "nobody shell"
daemon@ATHENA.MIT.EDU (Dave Dittrich)
Wed Dec 4 16:12:01 1996
Date: Wed, 4 Dec 1996 10:55:22 -0800 (PST)
From: Dave Dittrich <dittrich@cac.washington.edu>
To: Prentiss Riddle <riddle@is.rice.edu>
cc: www-security@ns2.rutgers.edu, nerudas@nationwide.com
In-Reply-To: <199612041834.MAA00569@is.rice.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
> Note that running CGI scripts as a user's UID is only a *partial*
> solution. It means that you no longer have to worry about your users
> getting "nobody shell" access, but you still have to worry about third
> parties getting access to your user's UID (unless you trust your users
> never to commit any of the classic CGI programming errors).
I won't argue that a malicious user could run programs on the system
as a user, which means that if you aren't using shadowed passwords,
you are pretty vulnerable. Take away login access to the server and
you limit the damage to just running commands and looking at files.
Take away read permission from critical system files and you further
protect the server. It won't be 100% secure, but then no system
really is unless you also disconnect the power supply. ;)
> On most
> Unix systems, an outsider could wreak at least as much damage under a
> user's UID as under "nobody".
I disagree. If modest measures are taken to isolate the server and
user environment from critical system information and you partition
web service from login service, I think the damage is a subset of
running as "nobody" (in the case where the server also runs as nobody,
which is what most servers with user written CGI programs involve).
In this case, running as the user != server UID means you can't
implement any of the denial of service attacks I alluded to. As the
same uid as the server, the damage is far worse. As long as you have
good backups of the web server's operating system and files you are
serving, you should be pretty safe and could come back up in very
little time if the system is breached. If you are do web service from
a system that people have login access to and/or shares passwords,
home directories, etc. with other systems, you are out on a weak limb
and CGI is a gusty wind.
The thing we both agree on, I think, is that you must spend a large
amount time/effort to make a secure web server environment (no matter
what OS you choose, Unix, NT, MacOS...) if you allow untrusted users
to install CGI programs that are run by the server and not risk
compromise of the server. Most small ISPs and (I would argue) the
vast majority of web servers set up on personal workstations by
inexperienced system administrators (heck, even experienced ones!)
have a great number of weaknesses sitting there waiting to be
exploited. The hacking of the Justice department and CIA servers are
examples, but at least these systems were partitioned (as I describe
above) outside of firewalls and trusted networks.
--
Dave Dittrich Client Services
dittrich@cac.washington.edu Computing & Communications
University of Washington
<a href="http://www.washington.edu/People/dad/">
Dave Dittrich / dittrich@cac.washington.edu</a>
