[cobalt-security] Re: [cobalt-users] CGI and root

[flash22@xxxxxxx]

On Fri, 30 Jun 2000, John Parris wrote:
> I have a customer that needed a program called Pennywize installed. Part of
> the installation 'requires' the following line in the httpd.conf:
> 
> CustomLog "| /home/sites/siteXX/web/cgi-bin/pennywize.cgi"
> "%h|%u|%s|customer"

> I've noticed that this causes the pennywize.cgi file to run as root. My
> question is, is there a way to make the CGI run as the admin user of the
> site, as nobody, or using cgiwrap? Having a CGI run as root is making me
> nervous.

Yoy can't run cgiwrap because it's not really being run as a cgi, just a
plain program, it's running as root because the web server starts as root
and it's (badly)passing this along to the piped program (someone yell at
the apache folks for this ;)

absolutly don't run it from user web space, it's completly unprotected,
(remember even if ordinary users can't write it, they can still rename it
and drop something else in it's place, they own the site/web directory))
this is kinda evil ;0 in theory you could suid-user it or wrap it, but
this isn't really going to protect it well, it should be somewhere not in
a directory users can write, and you had better be really sure it's
safe...if it insists on running in web space because it's accessing
datafiles, then i'd loose it and tell the customer it's too
dangerous/badly written or whatever

is it a binary or perl? if it's perl you might be able to help it a little
by telling perl to run it safely...but i wouldn't depend on this much ;0

kg.