CGI: Safety First
With the current Web hype a system administrator's nightmare has come true: every user on his system wants to have a home page and wants to do CGI programming. The urge to be on the Web is too strong to keep them off. If they had some elementary knowledge of security, things would not be so bad, but this is not the case: most of those users grew up with MS-DOS, where insecurity is a de facto standard. They have a dangerous attitude toward your system.
One major problem with CGI programming is writing to a file; the web server doesn't run as the user who wrote the CGI script—when it tries to write something in a file, it gets a permission denied error. Lowering the permission of that file isn't a solution—it is just plain disastrous.
As you might know, a web server (typically called httpd) can be run by any user. However, if you want to have the server listening on the HTTP port (port no. 80 according to STD 2, the Internet standard describing “Assigned Numbers”, at this moment, RFC 1700), it must be started up as root. Normally this is done at boot time from one of the rc files located in /etc. Since running the web server as root is a serious breach of security, all web servers can be configured to run as a different user, say user “www”.
You normally would see one server, running as root, which is responsible for opening port 80 and forking off a copy of itself that is running as www. It starts up as many servers as are needed to handle your load (you can often set a minimum and maximum number of servers in the configuration files). The one running as root does no HTTP stuff—that is done by child servers running as www.
There is one inherent security risk in running CGI scripts when everybody can write CGI scripts: the scripts can be read by other users. Even if you remove read permission of others and make the script readable and executable by the server's group only, another person can write a script reading the source of your script. If it is important that the source of the program remains secure, you shouldn't be writing a script. Compiled programs don't have to be readable to be executable, whereas scripts must be both readable and executable.
Before we proceed with the real issue, just consider a few of the consequences of the server running as www. Consider the following script:
#!/bin/sh cp /bin/sh /home/cracker/bin/sh chmod 4755 /home/cracker/bin/sh cat << EOF Content-type: text/plain There is no such thing as a secure server! EOF
You now have created a suid www shell that any cracker can use! For this reason it is important that the user www not have a home directory and not own any important files. Another infamous trick is to send a STOP signal to all servers; that is really sneaky (do you know why?). If you find these kinds of scripts unacceptable, you should ban CGI programming for everybody on your system except a few trusted users.
It should be clear that running all your servers as root is a definite no-no. It is like removing the password entry of root from the password file. If all your servers run as root, dash to your system administrator to correct this and don't leave before it is corrected. If he is hard to convince, well, you have root privileges and maybe you should give him a demonstration of how you can correct his mistake!
The trouble starts when user foo wants to write something in a file. Well, just for the sake of argument we will increment an access counter in a file ~foo/www/access. For example, look at the script counter.sh (it is not very customary to use a Bourne script for CGI programming, but it does the job):
#!/bin/sh ACCESS= ACCESS= rm /home/foo/www/access echo $ACCESS > /home/foo/www/access cat << EOF Content-type: text/plain You are number $ACCESS to visit this page! EOF
A nice little script with one problem: it does not work. It would have worked if foo had executed it, but alas, www was the one who ran the script. User foo might then immediately lower his security by entering: chmod 666 access. And since he noticed his default permissions are always wrong, he makes sure he regularly does a chmod 666 *--being unaware of the option of setting his UMASK. Don't think this doesn't occur in real life—I've had several colleagues doing exactly that. Be assured, they were all dedicated MS-DOS users.
Some of them learned it is easier if he doesn't change the files individually, but rather the directories (I almost jumped out of my room when I heard this one): chmod 777 . He didn't realize the writing succeeded because the daemon was able to remove the file access. But not just www could have done it—anybody could have done it!
Quickly entering chmod 1777 may seem the right thing to do. Don't you believe it. Indeed, it isn't that bad, but still, anybody on your system can remove that file with a CGI script.
|Dynamic DNS—an Object Lesson in Problem Solving||May 21, 2013|
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
- RSS Feeds
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
- New Products
- Validate an E-Mail Address with PHP, the Right Way
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Download the Free Red Hat White Paper "Using an Open Source Framework to Catch the Bad Guy"
- Tech Tip: Really Simple HTTP Server with Python
- Home, My Backup Data Center
- Please correct the URL for Salt Stack's web site
1 hour 37 min ago
- Android is Linux -- why no better inter-operation
3 hours 52 min ago
- Connecting Android device to desktop Linux via USB
4 hours 21 min ago
- Find new cell phone and tablet pc
5 hours 19 min ago
6 hours 48 min ago
- Automatically updating Guest Additions
7 hours 56 min ago
- I like your topic on android
8 hours 43 min ago
- This is the easiest tutorial
15 hours 19 min ago
- Ahh, the Koolaid.
20 hours 57 min ago
- git-annex assistant
1 day 2 hours ago
Enter to Win an Adafruit Pi Cobbler Breakout Kit for Raspberry Pi
It's Raspberry Pi month at Linux Journal. Each week in May, Adafruit will be giving away a Pi-related prize to a lucky, randomly drawn LJ reader. Winners will be announced weekly.
Fill out the fields below to enter to win this week's prize-- a Pi Cobbler Breakout Kit for Raspberry Pi.
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- 5-21-13, Prototyping Pi Plate Kit: Philip Kirby
- Next winner announced on 5-27-13!
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?