[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] CGI and root

Subject: [cobalt-users] CGI and root
From: "John Parris" <jparris@xxxxxxxxxxxxxx>
Date: Mon Jul 3 10:07:02 2000

> CustomLog "| /home/sites/siteXX/web/cgi-bin/pennywize.cgi"
> "%h|%u|%s|customer"

absolutly don't run it from user web space, it's completly unprotected,
(remember even if ordinary users can't write it, they can still rename it
and drop something else in it's place, they own the site/web directory))
this is kinda evil ;0 in theory you could suid-user it or wrap it, but
this isn't really going to protect it well, it should be somewhere not in
a directory users can write, and you had better be really sure it's
safe...if it insists on running in web space because it's accessing
datafiles, then i'd loose it and tell the customer it's too
dangerous/badly written or whatever

is it a binary or perl? if it's perl you might be able to help it a little
by telling perl to run it safely...but i wouldn't depend on this much ;0


Right now it's running from user web space. The program appears to be legit
and it's a commercial perl script. The program is pennywize...
www.pennywize.com . I'm not really familiar with how suid stuff works
exactly and I don't know to wrap it either. Can you help with with that? Is
there a way to spawn cgiwrap from the CustomLog and make cgiwrap run the
pennywize.cgi file?

Thanks
John

Follow-Ups:
- Re: [cobalt-users] CGI and root
  - From: Theodore Jones
- Re: [cobalt-users] CGI and root
  - From: flash22

Prev by Date: Re: [cobalt-users] RaQ2 - The document contained no data
Next by Date: Re: [cobalt-users] Log Rotation
Previous by thread: Re: [cobalt-users] CGI and root
Next by thread: Re: [cobalt-users] CGI and root

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index