Re: SECURITY HOLE: "Guestbook"
Pat The Friendly RedNeck (pat@WOLFE.net)
Thu, 3 Aug 1995 10:21:54 -0700
> The version of "Guestbook" available at
> <URL:http://alpha.pr1.k12.co.us/~mattw/scripts/guestbook.htm>
> allows execution of arbitrary commands under the server UID.
> [ ... ]
> It's the same old story -- forks a shell and sends off user
> supplied form data without checking it at all. In my probes
> I'm also finding sites running their webservers as root...
> BAD BAD. DON'T DO THIS.
Thanks for the alert.
Aren't most servers configured to change to nobody/nogroup, only being
launched as root so it can bind to port 80? Looking at the code (ncsa
httpd), all privs are given up as soon as the config file is read, when
it does a setuid(user_id), the user_id, read from httpd.conf User and
group entries, and usually set to be nobody and nogroup (UID 65534/GID
65534 on most systems).
Surely folks are not putting root in the httpd.conf User field...
> Followups to comp.infosystems.www.authoring.cgi, please.
> --
> Paul Phillips | "Click _here_ if you do not
> <URL:mailto:paulp@cerf.net> | have a graphical browser"
> <URL:http://www.primus.com/staff/paulp/> | -- Canter and Siegel, on
> <URL:pots://+1-619-220-0850/is/paul/there?> | their short-lived web site
--
#include <std.disclaimer> Pat Myrto (pat@Wolfe.NET) Seattle WA
A sysadmin's life is a sorry one. The only advantage he has over Emergency
Room doctors is that malpractice suits are rare. On the other hand, ER
doctors never have to deal with patients installing new versions of their
own innards! -Michael O'Brien