Re: Stuck between Chrooted FTP and SSH

["Drain Fade" <df_(_at_)_drainfade_(_dot_)_com>]

Adam said:
> On Mon, Sep 20, 2004 at 10:45:02AM -0700, Drain Fade wrote:
>> jason_(_at_)_dixongroup_(_dot_)_net said:
>> > $ cat /some/users/cgi-bin/index.cgi
>> >
>> > #!/usr/bin/perl
>> >
>> > print "Content-type: text/html\n\n";
>> > print "<html><head><title></title></head><body>";
>> >
>> > foreach (keys %ENV) { print "<b>$_</b> $ENV{$_}<br>"; }
>> > foreach (`ls $ENV{home}`) { print "$_<br>"; }
>> >
>> > print "Insert more stuff here to allow uploads, other bad stuff,
>> etc...";
>> > print "</body></html>";
>> > # EOF
>> >
>> >
>> > --
>> > Jason Dixon, RHCE
>> > DixonGroup Consulting
>> > http://www.dixongroup.net
>> >
>> man suexec, the most important details being found right here:
>> http://httpd.apache.org/docs/suexec.html#model
>>
>
> Suexec lets the cgis run as the user, meaning they can see and do
> exactly the same stuff as if they logged in with a shell.  This is very
> simple to understand, shells come with the OS for a reason.  Giving
> someone cgi access is the same as giving them a shell.  There is no
> additional security problems that you don't already have to deal with
> from the cgi access.  Unix has handy things like permissions to deal
> with this.
Not if they don't have a real account they can't. Suexec checks many
different ENV variables prior to running a CGI, that's where it helps
security. If your CGI tries to run as root it's killed, or tries to access
different parts of the filesystem,etc... Running suexec on cgi calls
prevents unauthorized access to variables that a cgi script shouldn't have
access to.
>
> Adam