Re: CGI Scripts and Permissions

• To: paulp@cerf.net (Paul Phillips)
• Subject: Re: CGI Scripts and Permissions
• From: Liz Stokes <ilaine@panix.com>
• Date: Thu, 14 Mar 1996 14:49:05 -0500 (EST)
• Cc: www-security@ns2.rutgers.edu
• In-Reply-To: <Pine.SUN.3.91.960314093703.26309A-100000@nic.cerf.net> from "Paul Phillips" at Mar 14, 96 09:38:59 am

Paul Phillips wrote:
> 
> 
> 
> On Thu, 14 Mar 1996, Liz Stokes wrote:
> 
> > I hacked our server to run scripts as the uid of the owner. It gives the
> > same effect as wrappers without the overhead.
> 
> [...] but with the added bonus that you get to run it as root all the 
> time so it can switch UIDs.

What? Nonsense. It does a seteuid instead of a setuid at the outset and
runs as 'web'. If it is going to exec a script it first sets uid back to 0,
if that fails it dies. If successful, it does a setuid (not euid) to the
script owner (unless that is 0 of course) also dying on failure. Only if
uid == ownerid does it agree to exec.

-- 
Liz Stokes
ilaine@panix.com

• Re: CGI Scripts and Permissions
• From: Paul Phillips <paulp@cerf.net>

• Re: CGI Scripts and Permissions
• From: Paul Phillips <paulp@cerf.net>

• Previous: CYLINK's Support for Open Public Key Standards
• Next: Re: CGI Scripts and Permissions
• Index(es):
  • Index
  • Thread