[unisog] creating secure asp/cgi servers

Albert Lunde Albert-Lunde at northwestern.edu
Tue Jun 4 17:19:10 GMT 2002


> > web pages for security reasons.  I was wondering how any of you deal with
> > this issue.  I thought I heard about wrapping software to prevent poorly
> > written scripts from doing any damage.  Any references to some material
> > would be greatly appreciated.
> Speaking from the UNIX point of view, Apache comes with su_exec
> <http://httpd.apache.org/docs/suexec.html> that is used to run CGI's
> and SSI's as a particular user (also used for allowing virtual hosts
> to run as a different user from the main web server).
> 
> A more general solution is cgiwrap <http://cgiwrap.unixtools.org/>,
> which is a setuid CGI script that runs other CGI's.

The general issue with this kind of wrapper is that a significant
number of security vulnerabilities for Unix involve a local
user getting more priviledges. Giving a remote user the ability
to execute arbitrary commands as _any_ user, turns those local
vulnerabities into remote vulnerabilities.

The userid your web server runs as may have less priviledges
than a general user account, (though it may be able to do
more damage to the web server processes), so running CGIs
as the user owning the script is more of a trade-off than
a uniform win.

My experience has been than the majority of people who know
enough to write CGI scripts don't pay attention to security
issues until they are called to their attention. This includes
IT staff, and certianly students. Scripts off the net
can be an equal risk, because one can assume the attacker
may have the source code. A notorious example is formmail
which has been actively expolited by spammers.

We don't allow CGI scripting on the web server with personal home pages.
Our main server allows departments to create scripts, but they
are only put into production after prior review for security/reliability
issues. Policy is leaning towards restricting than further;
in any case we want to steer people towards generic scripts 
when possible.

--
    Albert Lunde          Albert-Lunde at northwestern.edu (new address)
                          Albert-Lunde at nwu.edu (old address)



More information about the unisog mailing list