[ Stuff about cgi-wrap deleted ]
> This is not quite true. cgiwrap (by Nathan Neulinger <nneul@nospam.umr.edu>,
> http://www.umr.edu/~cgiwrap) was designed for multi-user sites like
> university campuses where
> local users are allowed to create their own scripts. Since CGI scripts run
> under the server's user ID
> (e.g. "nobody"), it is difficult under these circumstances for
> administrators to determine whose
> script is generating bounced mail, errors in the server log, or annoying
> messages on other user's
> screens.
Add "Use the user nobody to break into other systems and generally do
damage anonymously". This is the main reason we disabled cgis.
> There are also security implications when all users' scripts run
> with the same permissions:
> one user's script can unintentionally (or intentionally) trash the database
> maintained by another
> user's script.
Add "Users can write really bad cgis (who cares about the security
implications? It isn't _my_ account that will be compromised) which
result in people from other systems gaining access to the user nobody"
[ Stuff about users being at risk using cgi-wrap ]
> That doesn't sound like wholehearted enthusiasm on their part to me. In
> fact, since rogue scripts now run under the permissions of a "full" user,
> as it says, there may be more potential for damage than when they run under
> the low-access "nobody" user.
If you can't write a script that is secure enough then it should be your
problem. Up until now it has been our problem. While nobody is a low
access user, it is also an anonymous user. (alarm bells should ring at
this time - the potential to do damage and not get caught springs to
mind)
> It seems that running as "nobody" just allows people to fuck up other WWW
> stuff at the worst... so in other words, we'd all have to trust each other
> that our cgi scripts weren't going to step on our toes. That doesn't sound
> TOO bad to me, or unworkable. Especially compared to letting cgi scripts
> destroy your whole directory.
If I was wanting to break into some unsuspecting system without a trace,
this would be one of the best places to start. Gaining access to a shell
as nobody would have been trivial.
> Is the scripts-running-as-nobody really a _security risk_, or just a small
> hole in absolute tracability?
Well if we created an account that you were responible for, and left it
without a password so all progsoc members could use it, would you see it
as a security risk? Sure you may trust all 400 odd progsoc members to do
the right thing, but are you prepared to take that risk?
Anton
-- Anton Blanchard anton@nospam.progsoc.uts.edu.au Computer Systems Engineering Student anton@nospam.lister.flex.com.au University of Technology ablancha@nospam.acs.itd.uts.edu.au Sydney, Australia http://www.progsoc.uts.edu.au/~anton