RE: Running cgi binaries as root

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks all for the quick reply. Changing the set-uid bit was a good solution. With this solution I can selectively choose which binaries scripts needs to have root capabilities. I never would have tought of this escape because I was stuck in a "solution loop"....
Concerning the security I believe when using binary scripts, security is increased some levels. Since the cgi binaries are no longer acsii files, injecting or altering code is hardly possible. The only way to breach security is to replace the binary itself. And for that you need to know which type of processor is being used to produce the correct executable. I can tell it's not Intel or AMD......
If I overlook something concering security please let me know.
 
Regards.
 
> Date: Tue, 24 Jan 2012 09:19:49 -0500
> From: mark@xxxxxxxxxxx
> To: users@xxxxxxxxxxxxxxxx; lapierre62@xxxxxxxxxxx
> Subject: Re: Running cgi binaries as root
>
> On January 24, 2012 9:00 , Tarzan Jane <lapierre62@xxxxxxxxxxx> wrote:
> > The scripts address IO-pins on the embedded system [...] If I run the
> > scripts as root in the /var/www/cgi-bin directory all is fine. But
> > when trying to run the scripts using Apache via a web page nothing
> > happens. This is because the scripts are run as www-data user and the
> > www-data user is not allowed to perform these actions. Suexec doesn't
> > work either because suexec expects ascii written cgi/php/pl script.
>
> If you can grant the www-data user the right to address the IO pins,
> that is the best solution. This way, the CGIs are given only the
> permissions they need, not superuser (root) permissions to do
> everything. If, for example, the IO pins are addressed through device
> files, then you may be able to simply change the owner of the device
> files to www-data.
>
> Otherwise, you can change the owner of the CGI binaries to be root and
> turn on the set-uid bit. This way, when the CGI binaries are run they
> will be run as root. https://en.wikipedia.org/wiki/Setuid Since
> you've already said that you're aware of the security issues, I won't
> repeat any dire warnings here.
>
> --
> Mark Montague
> mark@xxxxxxxxxxx
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux