From owner-freebsd-questions@FreeBSD.ORG Fri Jan 22 17:14:59 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A5F261065679 for ; Fri, 22 Jan 2010 17:14:59 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id C7CE38FC1B for ; Fri, 22 Jan 2010 17:14:58 +0000 (UTC) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.3) with ESMTP id o0MHEs7p011438; Fri, 22 Jan 2010 17:14:54 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk o0MHEs7p011438 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1264180494; bh=b4JSFwR9rJoub3vuEqxFFDvWxPhiGy7ihuk9p85pSpw=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<4B59DD07.6020505@infracaninophile.co.uk>|Date:=20F ri,=2022=20Jan=202010=2017:14:47=20+0000|From:=20Matthew=20Seaman= 20|Organization:=20Infracaninophi le|User-Agent:=20Thunderbird=202.0.0.23=20(X11/20100114)|MIME-Vers ion:=201.0|To:=20DAve=20|CC:=20'User=20 Questions'=20|Subject:=20Re:=20Secu ring=20cgi=20scripts|References:=20<4B59BC65.3040905@pixelhammer.c om>|In-Reply-To:=20<4B59BC65.3040905@pixelhammer.com>|X-Enigmail-V ersion:=200.95.6|Content-Type:=20multipart/signed=3B=20micalg=3Dpg p-sha256=3B=0D=0A=20protocol=3D"application/pgp-signature"=3B=0D=0 A=20boundary=3D"------------enigD92050B13EBD01CF22853909"; b=ZcoWnft1vEsdpfRQhE+a3+OZTtF/dfOAM7OXvvP96rkdOKnHU2Q9MuI3CP0VJm1x7 nN6122QgWsOsfRhMkxKK5pw26xrGy4xHJN+JekT/j1D0wexk1zn/ic6bD7q/RsTgwB biJntaAjq2mjAB5c80I0NXso6zzbGurtH2nGDOCo= X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host localhost [IPv6:::1] claimed to be happy-idiot-talk.infracaninophile.co.uk Message-ID: <4B59DD07.6020505@infracaninophile.co.uk> Date: Fri, 22 Jan 2010 17:14:47 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.23 (X11/20100114) MIME-Version: 1.0 To: DAve References: <4B59BC65.3040905@pixelhammer.com> In-Reply-To: <4B59BC65.3040905@pixelhammer.com> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigD92050B13EBD01CF22853909" X-Virus-Scanned: clamav-milter 0.95.3 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: 'User Questions' Subject: Re: Securing cgi scripts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2010 17:14:59 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigD92050B13EBD01CF22853909 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable DAve wrote: > Good morning all, >=20 > I have been working on an issue here where I am being asked if we can > support letting clients install and run their own CGI scripts on a > shared vhost. I have tried sbox and cgiwrap, both which worked, but the= y > cannot stop the one test of reading the /etc/passwd file. >=20 > Forgive my ignorance here, but I thought CGIs were gone long ago and > have not messed with them in over ten years. If a client really needs a= > specfic CGI script hosted, I check it out thoroughly and install it > where they cannot reach it. Those instances are very very rare. >=20 > It looks to me like the only way to keep a client contained is to run > their CGIs chrooted. Would this be correct? CGI programs run in the OS filesystem context, so there's generally nothi= ng to stop them reading /etc/passwd. They are essentially the same level of= risk as an unprivileged user login account. =20 Mind you, pretty exactly the same thing applies if you let your customers= supply their own PHP or perl or other programs which run using an interpr= eter embedded in the apache process: they can access anything accessible to th= e web server process. =20 I should point out that unprivileged users are *meant* to be able to read /etc/passwd -- it's /etc/master.passwd that has the sensitive stuff in it. In fact, the bigger problem with running CGI programs from a shared webserver is that they generally all run using the same security credentials; those of the web server (www:www by default) -- which potentially lets all your different customers tread on each others toes. = suexec(8) is the stock solution to that problem. If you really want to keep your customers properly separated, then send them to jail(8). While giving them each a separate jail with a full=20 install of apache etc. certainly does work, it implies dedicating at leas= t an IP per customer. You could avoid that by still keeping a single apach= e=20 instance but use something like an fCGI process per customer running each= in=20 separate jails hanging off the loopback i/f. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigD92050B13EBD01CF22853909 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAktZ3Q0ACgkQ8Mjk52CukIzsLgCeLK7hxMFppZDBH7KLGxrZJGYF 1ysAn1FO6VVXMjDeHhIohK/vyY9XiwFw =5a2X -----END PGP SIGNATURE----- --------------enigD92050B13EBD01CF22853909--