[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] CGI and root

Subject: Re: [cobalt-users] CGI and root
From: Cody Watkins <codyw@xxxxxxxxxxxxxxxxx>
Date: Mon Jul 10 16:50:07 2000

At 10:57 AM 7/3/2000 -0700, you wrote:
>John,
>
>doesn't it say in the cobalt manual (Raq3i) to create a v-site's cgi-bin in
>under "web" of the site?
>
>~ Theo
>
>John Parris wrote:
>
>> > CustomLog "| /home/sites/siteXX/web/cgi-bin/pennywize.cgi"
>> > "%h|%u|%s|customer"
>>
>> absolutly don't run it from user web space, it's completly unprotected,
>> (remember even if ordinary users can't write it, they can still rename it
>> and drop something else in it's place, they own the site/web directory))
>

It does say that in the manual, but that does not take into account that
scripts running as root should never be run from somewhere where a regular
user can alter it.  This would be a potential security hole into your
server if you ran it from user accessable space.  A user could rename the
script, and make a new one in its place.  The new script could then do
anything it wants to.  It could change user infomation, and allow that
person to get access to the RaQ3 Admin area in the GUI, they could crash
your computer, load hidden software, anything.  Root access to a remote box
is a hackers dream.

John has a very good point. You should just tell the client that the script
could potentially comprimise security on the box, and that you will not
install it.

Thats my $0.02

Sincerely,
Cody Watkins
Paradox Web Hosting
www.paradoxwebhosting.com

References:
- [cobalt-users] CGI and root
  - From: John Parris
- Re: [cobalt-users] CGI and root
  - From: Theodore Jones

Prev by Date: Re: [cobalt-users] Stopping & Starting httpd
Next by Date: [cobalt-users] please... help...? [RaQ3i]
Previous by thread: Re: [cobalt-users] CGI and root
Next by thread: Re: [cobalt-users] CGI and root

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index