[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-developers] Re: cgitelnet.pl security issue
- Subject: [cobalt-developers] Re: cgitelnet.pl security issue
- From: Chris Adams <cmadams@xxxxxxxxxx>
- Date: Mon Jan 28 20:21:10 2002
- List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>
Once upon a time, Paul Adamson <mail@xxxxxxxxxxxxxxxxx> said:
> Research something called cgiwrapper, it's a 'sandbox' which the cgi gets to
> play in to stop it breaking anything. Here it is...
RaQs (since the RaQ2 IIRC) already use cgi-wrapper. However, since
Cobalt has always used a 100% wide-open Apache config, all it takes to
avoid cgi-wrapper is:
Options FollowSymLinks ExecCGI Includes SymLinksIfOwnerMatch
AddHandler cgi-script .cgi
in a .htaccess file to make your CGI run as user httpd and group httpd
(which means you can avoid any disk quotas for your CGI generated files,
CGI restrictions from the web interface, etc.). The option for
enabling/disabling CGI in the web interface is a "feel good" option
only; anyone with an account on a RaQ can run CGI.
And through that, they can also get shell access (another Cobalt web
interface option that is useless).
On the RaQ3 and up, any user can also write mod_perl extensions that
will run in the Apache server, which means that they can get into all
kinds of stuff (including possibly SSL private certificates of other
sites).
--
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.