[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] OFFTOPIC: Faking CGI environment

Subject: Re: [cobalt-users] OFFTOPIC: Faking CGI environment
From: "manitu" <manitu@xxxxxxxxxx>
Date: Tue Mar 14 01:04:28 2000

> Not exactly.  Normal users are able to view these scripts and execute
them.
>  However, running them wont get you very far.  Cobalt's GUI is powered by
> another copy of apache running an alternate config file on port 81
> setuid/gid root,root.  There is no cgiwrap on this, so all cgi scripts are
> ran as the httpd user, which is root.
>
> These scripts will only really work when they are run as root.  You can
> probably fake the enviornment and get them to run, but they will fail to
do
> anything that would compromise security because a normal user wouldn't
have
> the rights to write to certain files that the gui scripts write to (I've
> only looked at the user management cgis, which write to files such as
> /etc/passwd, and because of the file permissions only root can write to
> these).

Yes, you're right. Sorry for the confusion that I probably produced. I am
now using some extra checks (e.g. checking the effective user id) and it
works great.

Thanks
Manuel

References:
- Re: [cobalt-users] OFFTOPIC: Faking CGI environment
  - From: dfd

Prev by Date: RE: [cobalt-users] (RaQ3) Total Users
Next by Date: [cobalt-users] Qube2 Group Message too long
Previous by thread: Re: [cobalt-users] OFFTOPIC: Faking CGI environment
Next by thread: RE: [cobalt-users] GUI Security (RaQ3)

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index