Re: [cobalt-users] CGI and root

[flash22@xxxxxxx]

On Mon, 3 Jul 2000, John Parris wrote:

> > CustomLog "| /home/sites/siteXX/web/cgi-bin/pennywize.cgi"
> > "%h|%u|%s|customer"
> []
> Right now it's running from user web space. The program appears to be legit
> and it's a commercial perl script. The program is pennywize...
> www.pennywize.com . I'm not really familiar with how suid stuff works
> exactly and I don't know to wrap it either. Can you help with with that? Is
> there a way to spawn cgiwrap from the CustomLog and make cgiwrap run the
> pennywize.cgi file?

hmm, figures it's a security program....

You really ought to address this issue with them, it's awfully hard to
tell what the consiquences would be of changing the way it's installed
since i can't see the script....

in theory something like this would be minimal, but it may not work,
depends how the script is written....

CustomLog   "/usr/bin/perl -T -e
/home/sites/siteXX/cgi-bin/pennywise.cgi" formatstuff

However, if the script wasn't intended to be run this way you will
probably gets lots of errors (-T says to 'taint' the script, ie mark it
as untrusted, the interpreter will limit what it allows the script to do)

If the script isn't clean however it's not goung to run....
cgiwrap won't work unless invoked from the server as a cgi, there are
enviroment variables passed to it....

By 'wrapping' the script i mean having a small program that changes to a
reasonable user id and then runs the script...perl used to come with one,
but it had a big security hole in it, dunno if it's still included,
there's probably one floating around, it's like a 3 line program...
but again, ig pennywize is expecting to have enough permissions to modify
access control files, it might not be happy, it would have been nice if
they had split it into 2 pieces for you so you could put the part that
reads the log info somewhere safer...

ps: does this thing really work? wondering because by default the raq's
error logs are split from the user logs...

g