Thread: cgi with postgres

hey folks,

this is a security issue i'd like to get some info
on, i'm sure it's more with cgi than postgres, but
heck.

issue: how to secure cgi's that access postgres

problem: passwords for postgres database are stored
      in plain text in scripts. (lets assume, perl,
      not a compiled language)

points:
    make cgi dir 711
    big deal, they can get the name of the file
    from the web, and copy it.

    set an obscure cgi script alias in apache
    big deal, they can read the cgi conf file.

    this is assuming they already have an account
    on the machine, something that cannot be ruled
    out.

question in short: how to make perl accessing databases
    more secure, so any jack can't modify a database.

thanks in advance.

Jeff MacDonald
jeff@hub.org

===================================================================
 So long as the Universe had a beginning, we can suppose it had a
creator, but if the Universe is completly self contained , having
no boundry or edge, it would neither be created nor destroyed
 It would simply be.
===================================================================

On Fri, Jan 14, 2000 at 04:55:02PM -0400, Jeff MacDonald wrote:
> this is a security issue i'd like to get some info
> on, i'm sure it's more with cgi than postgres, but
> heck.
>

First off, if the server is set up correctly a casual user should not be
able to browse the cgi-bin directory and see your code.

I'm not sure what server you are creating your scripts on, but if it is
Apache and mod_perl is available to you then this is even better.  You
can create a handler in mod_perl for a "pseudo-directory" and hide your
code that way.

However, as I said in my first paragraph this should not be necessary as
normally web browsers can't browse the cgi-bin directory anyway and your
cgi-script should just send back to the browser html code and not the
perl code itself.  Unless something is very very wrong....


--
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Peter L. Berghold                        Peter@Berghold.Net
"Linux renders ships                     http://www.berghold.net
 NT renders ships useless...."

* Jeff MacDonald <jeff@hub.org> [000114 13:38] wrote:
> hey folks,
>
> this is a security issue i'd like to get some info
> on, i'm sure it's more with cgi than postgres, but
> heck.
>
> issue: how to secure cgi's that access postgres
>
> problem: passwords for postgres database are stored
>       in plain text in scripts. (lets assume, perl,
>       not a compiled language)
>
> points:
>     make cgi dir 711
>     big deal, they can get the name of the file
>     from the web, and copy it.

how about sourcing a conf file that's in a 700 dir?

>
>     set an obscure cgi script alias in apache
>     big deal, they can read the cgi conf file.
>
>     this is assuming they already have an account
>     on the machine, something that cannot be ruled
>     out.
>
> question in short: how to make perl accessing databases
>     more secure, so any jack can't modify a database.
>
> thanks in advance.
>
> Jeff MacDonald
> jeff@hub.org
>

--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]

alfred, that seems like a very reasonable solution,

in regard to the other chaps responce, i'm not worried
about web users anyway, cause they can't see the perl
source. it's users on the system i'd like to protect
against.

 On Fri, 14 Jan 2000, Alfred Perlstein wrote:

> * Jeff MacDonald <jeff@hub.org> [000114 13:38] wrote:
> > hey folks,
> >
> > this is a security issue i'd like to get some info
> > on, i'm sure it's more with cgi than postgres, but
> > heck.
> >
> > issue: how to secure cgi's that access postgres
> >
> > problem: passwords for postgres database are stored
> >       in plain text in scripts. (lets assume, perl,
> >       not a compiled language)
> >
> > points:
> >     make cgi dir 711
> >     big deal, they can get the name of the file
> >     from the web, and copy it.
>
> how about sourcing a conf file that's in a 700 dir?
>
> >
> >     set an obscure cgi script alias in apache
> >     big deal, they can read the cgi conf file.
> >
> >     this is assuming they already have an account
> >     on the machine, something that cannot be ruled
> >     out.
> >
> > question in short: how to make perl accessing databases
> >     more secure, so any jack can't modify a database.
> >
> > thanks in advance.
> >
> > Jeff MacDonald
> > jeff@hub.org
> >
>
> --
> -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
>

Jeff MacDonald
jeff@hub.org

===================================================================
 So long as the Universe had a beginning, we can suppose it had a
creator, but if the Universe is completly self contained , having
no boundry or edge, it would neither be created nor destroyed
 It would simply be.
===================================================================

Jeff MacDonald wrote:
>
> hey folks,
>
> this is a security issue i'd like to get some info
> on, i'm sure it's more with cgi than postgres, but
> heck.
>
> issue: how to secure cgi's that access postgres
>
> problem: passwords for postgres database are stored
>       in plain text in scripts. (lets assume, perl,
>       not a compiled language)
>
> points:
>         make cgi dir 711
>         big deal, they can get the name of the file
>         from the web, and copy it.
>
>         set an obscure cgi script alias in apache
>         big deal, they can read the cgi conf file.
>
>         this is assuming they already have an account
>         on the machine, something that cannot be ruled
>         out.
>
> question in short: how to make perl accessing databases
>         more secure, so any jack can't modify a database.
>
> thanks in advance.
>
> Jeff MacDonald
> jeff@hub.org

I'm not sure if this is definitive - hackers are very clever, but
this SHOULD do it:

1. httpd runs as user 'nobody'
2. 'nobody' doesn't have a shell account (shell = /bin/false)
3. no one can 'su' to 'nobody', except root (obviously)
4. pg_hba.conf allows only local connections (127.0.0.1)
5. the postmaster isn't running with -i
6. 'nobody' owns the database and has granted privileges to only
those other users as appropriate
7. The password (as added protection) is in some file readable by
user 'nobody' only.

Hope that helps,

Mike Mascari

* Jeff MacDonald <jeff@hub.org> [000114 14:07] wrote:
> alfred, that seems like a very reasonable solution,
>
> in regard to the other chaps responce, i'm not worried
> about web users anyway, cause they can't see the perl
> source. it's users on the system i'd like to protect
> against.

I'm not sure what you mean, but there is a problem, unless you
execute the scripts as a user other than the default cgi user then
you may run into problems because then people can craft a cgi and
run it through the server to gain access to the 700 dir, you'll
either need some sort of setuid (to a special user, not root) or
use some sort of cgiwrapper.

-Alfred

>
>  On Fri, 14 Jan 2000, Alfred Perlstein wrote:
>
> > * Jeff MacDonald <jeff@hub.org> [000114 13:38] wrote:
> > > hey folks,
> > >
> > > this is a security issue i'd like to get some info
> > > on, i'm sure it's more with cgi than postgres, but
> > > heck.
> > >
> > > issue: how to secure cgi's that access postgres
> > >
> > > problem: passwords for postgres database are stored
> > >       in plain text in scripts. (lets assume, perl,
> > >       not a compiled language)
> > >
> > > points:
> > >     make cgi dir 711
> > >     big deal, they can get the name of the file
> > >     from the web, and copy it.
> >
> > how about sourcing a conf file that's in a 700 dir?
> >
> > >
> > >     set an obscure cgi script alias in apache
> > >     big deal, they can read the cgi conf file.
> > >
> > >     this is assuming they already have an account
> > >     on the machine, something that cannot be ruled
> > >     out.
> > >
> > > question in short: how to make perl accessing databases
> > >     more secure, so any jack can't modify a database.
> > >
> > > thanks in advance.
> > >
> > > Jeff MacDonald
> > > jeff@hub.org
> > >
> >
> > --
> > -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
> >
>
> Jeff MacDonald
> jeff@hub.org
>
> ===================================================================
>  So long as the Universe had a beginning, we can suppose it had a
> creator, but if the Universe is completly self contained , having
> no boundry or edge, it would neither be created nor destroyed
>  It would simply be.
> ===================================================================
>

--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]

On Fri, 14 Jan 2000, Jeff MacDonald wrote:

> hey folks,
>
> this is a security issue i'd like to get some info
> on, i'm sure it's more with cgi than postgres, but
> heck.
>
> issue: how to secure cgi's that access postgres
>
> problem: passwords for postgres database are stored
>       in plain text in scripts. (lets assume, perl,
>       not a compiled language)
>
> points:
>     make cgi dir 711
>     big deal, they can get the name of the file
>     from the web, and copy it.
>
>     set an obscure cgi script alias in apache
>     big deal, they can read the cgi conf file.

Side point ... why isn't the apache conf file secure?  Only user root
needs to be able to read it, no?

Marc G. Fournier                   ICQ#7615664               IRC Nick: Scrappy
Systems Administrator @ hub.org
primary: scrappy@hub.org           secondary: scrappy@{freebsd|postgresql}.org

Hi,
Take a look at :
Python :  http://www.python.org/
There is an adapteur to Postgresql ==> Pygresql
This is GREAT for Unix (Linux) cgi with Postgresql...
Just for information.
Emmanuel.

Le ven, 14 jan 2000, vous avez �crit :
> hey folks,
>
> this is a security issue i'd like to get some info
> on, i'm sure it's more with cgi than postgres, but
> heck.
>
> issue: how to secure cgi's that access postgres
>
> problem: passwords for postgres database are stored
>       in plain text in scripts. (lets assume, perl,
>       not a compiled language)
>
***

On 2000-01-14, Alfred Perlstein mentioned:

> > issue: how to secure cgi's that access postgres
> >
> > problem: passwords for postgres database are stored
> >       in plain text in scripts. (lets assume, perl,
> >       not a compiled language)
> >
> > points:
> >     make cgi dir 711
> >     big deal, they can get the name of the file
> >     from the web, and copy it.
>
> how about sourcing a conf file that's in a 700 dir?

Security through obscurity is little security indeed.

--
Peter Eisentraut                  Sernanders väg 10:115
peter_e@gmx.net                   75262 Uppsala
http://yi.org/peter-e/            Sweden

On 2000-01-14, The Hermit Hacker mentioned:

> Side point ... why isn't the apache conf file secure?  Only user root
> needs to be able to read it, no?

Huh? You run apache as root?

--
Peter Eisentraut                  Sernanders väg 10:115
peter_e@gmx.net                   75262 Uppsala
http://yi.org/peter-e/            Sweden

* Peter Eisentraut <peter_e@gmx.net> [000116 09:30] wrote:
> On 2000-01-14, Alfred Perlstein mentioned:
>
> > > issue: how to secure cgi's that access postgres
> > >
> > > problem: passwords for postgres database are stored
> > >       in plain text in scripts. (lets assume, perl,
> > >       not a compiled language)
> > >
> > > points:
> > >     make cgi dir 711
> > >     big deal, they can get the name of the file
> > >     from the web, and copy it.
> >
> > how about sourcing a conf file that's in a 700 dir?
>
> Security through obscurity is little security indeed.

I don't see how using the unix permissions as a
form of ACL is security through obscurity... or do you
chmod 644 /etc/shadow on your boxes?

--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]

Peter Eisentraut wrote:
>
> On 2000-01-14, Alfred Perlstein mentioned:
>
> > > issue: how to secure cgi's that access postgres
> > >
> > > problem: passwords for postgres database are stored
> > >       in plain text in scripts. (lets assume, perl,
> > >       not a compiled language)
> > >
> > > points:
> > >     make cgi dir 711
> > >     big deal, they can get the name of the file
> > >     from the web, and copy it.
> >
> > how about sourcing a conf file that's in a 700 dir?
>
> Security through obscurity is little security indeed.

1. If anybody can read your web page, well, then, you
would need to make a "reader" account in your DBMS.
That way, anybody can get the username and password,
and it may not matter. As long as this user only has
perms to the database (as in, no shell, no other perms
on the box), it's about as secure as any other service
that passes user/pass over the 'net in readable form....

2. Deeper accounts can be controled via .htaccess,
via apache. Again, this has holes, but now the potential
hacker has two hoops to jump through.

3.  Access to specific virtual hosts can be controlled
via packet filtering, for more secure connections to
an admin page. Yet another hoop.

4. Security through obscurity _can_ be of great value,
if your threat scenario is primarily individuals who
wouldn't know where to look, or what to look for. If
your threat scenario includes individuals who do have
that skill level, yup, it's not that much protection.
It's like hiding the lock on a door. It's provide security
against lock pickers, but no security against the guy
with a sledge hammer. A hoop for those with little
imagination or knowledge....

Security is not something you can program, buy, or build,
it's a mindset.  For each hoop you require users to jump
through, it's another hoop for a  hacker to jump through.
Since you _will_ be hacked, by somebody, eventually, you
have to balance the level of security with the level of
*value* it offers. For example, disabling cgi's helps quite
a bit, from a security standpoint, but it makes users
cranky. Is that crankyness worth the security of removing
all cgi's? If your transactions are worth several thousand
a day,  of course it is.  Are your databases so valuable that
you don't want to allow users write access? Don't put
them on writable media.  Do you need to guarantee that
only specific users have access to specific transactions
in a specific database? Then cut the cord on internet access,
entirely.

Back to the original question:
>issue: how to secure cgi's that access postgres

For *absolutely secure* environments, remove the cgi's, erase
the database, take the box in back, and burn it, then crush it
into little bits, then sprinkle the ashes over no less than a
300 km radius, in non-equal distribution. ;-)

For slightly less security, you should follow two basic, old-school
rules: Something you know, and something you have. For each level
of security, you should require at least one measure of each. For
vanilla access, they would *know* where the server is, and *have* one
pasword. More secure: They would *know* a non-htttp-linked, non-listed,
CGI file to access, and *have* a specfic IP they are coming from. Next,
maybe knowing another access code, and having a stored cookie
which is checked against... and on, and on, so by the time they have
a high level of access, they've managed to use passwords, RSA keys,
their IP, a fingerprint, an eyeball scan..... but it's still not quite as
secure as destroying all of the data. :-) Up to that point, it's just
a matter of making enough hoops to jump through that it keeps
most of your threat assesments at bay, and using them in an
_additive_ fashion.

Additive? Well, a retinal scan and password combo is only
two hoops, but a retinal scan, and password, and RSA key, and
initiating IP, and facial scan, and tunneled session, is 6 things
a cracker has to break, in the right order, in order to get in.  So
you have to balance how much security you need versus how many
hoops you want to make, as setting up 20+ boxes, in series, to
use a SELECT statement, may be a bit absurd for your application.
:-) I've done it for giggles, performance was not the best, but
it worked well enough that it was pretty much impenetrable
from over the internet. Only took two or three minutes to pass
a select staement through, and half an hour or so to return
a few rows... <g>

HTH,
-Ronabop

* Ron Chmara <ron@Opus1.COM> [000116 16:18] wrote:
> Peter Eisentraut wrote:
> >
> > On 2000-01-14, Alfred Perlstein mentioned:
> >
> > > > issue: how to secure cgi's that access postgres
> > > >
> > > > problem: passwords for postgres database are stored
> > > >       in plain text in scripts. (lets assume, perl,
> > > >       not a compiled language)
> > > >
> > > > points:
> > > >     make cgi dir 711
> > > >     big deal, they can get the name of the file
> > > >     from the web, and copy it.
> > >
> > > how about sourcing a conf file that's in a 700 dir?
> >
> > Security through obscurity is little security indeed.
>
> 1. If anybody can read your web page, well, then, you
> would need to make a "reader" account in your DBMS.
> That way, anybody can get the username and password,
> and it may not matter. As long as this user only has
> perms to the database (as in, no shell, no other perms
> on the box), it's about as secure as any other service
> that passes user/pass over the 'net in readable form....
>
> 2. Deeper accounts can be controled via .htaccess,
> via apache. Again, this has holes, but now the potential
> hacker has two hoops to jump through.
>
> 3.  Access to specific virtual hosts can be controlled
> via packet filtering, for more secure connections to
> an admin page. Yet another hoop.
>
> 4. Security through obscurity _can_ be of great value,
> if your threat scenario is primarily individuals who
> wouldn't know where to look, or what to look for. If
> your threat scenario includes individuals who do have
> that skill level, yup, it's not that much protection.
> It's like hiding the lock on a door. It's provide security
> against lock pickers, but no security against the guy
> with a sledge hammer. A hoop for those with little
> imagination or knowledge....

All these options don't take into account that perhaps you don't
want people _on the same box_ to be able to even read arbitrary
things from your database.  Sure you can protect the tables from
modification via postgresql's internal ACL system, however what
if you wish to deny read access as well?

For this you need a file with an ACL prevents other _local users_
from reading it.

This is _not_ security through obscurity, this is basic ACL control.
Again, figure a way to 'protect' your shadow password database
without relying on an external auth server.

> Security is not something you can program, buy, or build,
> it's a mindset.  For each hoop you require users to jump
> through, it's another hoop for a  hacker to jump through.
> Since you _will_ be hacked, by somebody, eventually, you
> have to balance the level of security with the level of
> *value* it offers. For example, disabling cgi's helps quite
> a bit, from a security standpoint, but it makes users
> cranky. Is that crankyness worth the security of removing
> all cgi's? If your transactions are worth several thousand
> a day,  of course it is.  Are your databases so valuable that
> you don't want to allow users write access? Don't put
> them on writable media.  Do you need to guarantee that
> only specific users have access to specific transactions
> in a specific database? Then cut the cord on internet access,
> entirely.
>
> Back to the original question:
> >issue: how to secure cgi's that access postgres
>
> For *absolutely secure* environments, remove the cgi's, erase
> the database, take the box in back, and burn it, then crush it
> into little bits, then sprinkle the ashes over no less than a
> 300 km radius, in non-equal distribution. ;-)
>
> For slightly less security, you should follow two basic, old-school
> rules: Something you know, and something you have. For each level
> of security, you should require at least one measure of each. For
> vanilla access, they would *know* where the server is, and *have* one
> pasword. More secure: They would *know* a non-htttp-linked, non-listed,
> CGI file to access, and *have* a specfic IP they are coming from. Next,
> maybe knowing another access code, and having a stored cookie
> which is checked against... and on, and on, so by the time they have
> a high level of access, they've managed to use passwords, RSA keys,
> their IP, a fingerprint, an eyeball scan..... but it's still not quite as
> secure as destroying all of the data. :-) Up to that point, it's just
> a matter of making enough hoops to jump through that it keeps
> most of your threat assesments at bay, and using them in an
> _additive_ fashion.
>
> Additive? Well, a retinal scan and password combo is only
> two hoops, but a retinal scan, and password, and RSA key, and
> initiating IP, and facial scan, and tunneled session, is 6 things
> a cracker has to break, in the right order, in order to get in.  So
> you have to balance how much security you need versus how many
> hoops you want to make, as setting up 20+ boxes, in series, to
> use a SELECT statement, may be a bit absurd for your application.
> :-) I've done it for giggles, performance was not the best, but
> it worked well enough that it was pretty much impenetrable
> from over the internet. Only took two or three minutes to pass
> a select staement through, and half an hour or so to return
> a few rows... <g>

I'd say these are good examples of security through absurdity,
interesting to research, but as implied from the responce times
of this system: not usable.

sorry, :)
--
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]

Alfred Perlstein wrote:
> * Ron Chmara <ron@Opus1.COM> [000116 16:18] wrote:
Snip_> Of security items.....
> All these options don't take into account that perhaps you don't
> want people _on the same box_

Well, I assumed that web clients, using cgi, was the "Subject:",
so I didn't adrdress it.  :-)

> to be able to even read arbitrary
> things from your database.  Sure you can protect the tables from
> modification via postgresql's internal ACL system, however what
> if you wish to deny read access as well?
> For this you need a file with an ACL prevents other _local users_
> from reading it.

Hm. If they cannot read the file, how do they read it for access? :-)
If they _can_ read a component for access, you already have an
item to be eploited, again, it's about finding _balance_ in one's
access needs. The only secure server is a non-existant one.

> This is _not_ security through obscurity, this is basic ACL control.

Which is insecure to attacks from anything that uses it. :-)

> Again, figure a way to 'protect' your shadow password database
> without relying on an external auth server.

Completely protected? On a single server? Can't be done. Relatively
protected? Sure. But it's not "secure", it's "relatively secure".

Snip_>
> >. For
> > vanilla access, they would *know* where the server is, and *have* one
> > pasword....
> > So
> > you have to balance how much security you need versus how many
> > hoops you want to make, as setting up 20+ boxes, in series, to
> > use a SELECT statement, may be a bit absurd for your application.

>> I'd say these are good examples of security through absurdity,
> interesting to research, but as implied from the responce times
> of this system: not usable.
> sorry, :)

Perhaps you missed the point behind starting with something
extremely insecure (such as a single ACL, as you propose, and I started
with something as inherently insucre as that) , and scaling up to
absurdly slow, hard to break, but still insecure: There's no such
thing as a secure server. So you have to  find balance, knowing that
whatever you do is insecure in *some* way, and relatively secure
in other ways.

-Ronabop

ok.

lets get back to the point, i'm not worried about webusers,
so .htaccess is not an issue.

this all arouse when one of hub's clients who runs a course
evaluation system asked

'what's to stop someone from logging in to hub, writing a script
with my name in user=user in the dbi::connect function. then
making it enter a bunch of bogus data.'

at first i thought gee well just put a passwd on the database,
then i thought, gee that's stupid since it's stored in plain text.


======================================================
Jeff MacDonald
    jeff@pgsql.com    irc: bignose on EFnet
======================================================

"Jeff MacDonald " wrote:
> 'what's to stop someone from logging in to hub, writing a script
> with my name in user=user in the dbi::connect function. then
> making it enter a bunch of bogus data.'
> at first i thought gee well just put a passwd on the database,
> then i thought, gee that's stupid since it's stored in plain text.

Depends on how you're set up. You can use host based
authentification, so only valid machines can make changes.
You can shut out shell accounts on the machine, and then
use the host's username/pass function for connection. You
can use postgres crypt'ed passwords, which doesn't store passwords
at all, it stores a block of zeros encrypted using the password....
at least on the machine itself, not in the CGI's...

(Yes, I'm rambling about other issues, but I'll get there...)

If you're only requiring one username, one password, for a file
everybody has access to, well, yes, that's a problem. Which is why
password files usually have permissions on them, so :
-rw-------   1 postgres demigods       8192 Jan  7 11:55 pg_shadow
can only be read/written by user postgres, group demigods.

See:
http://www.postgresql.org/doxlist.html for a rough overview
of how this is supposed to work..

(Still rambling, not about scripted, stored, user/pass access yet)

Yes, yes, you can have connections that are username only. You
can have username and password, in a cgi, which is why you
*don't use real, powerful, usernames and passwords in
scripts*. You use things like www or nobody, which write to
temporary tables. Which are then inspected for accuracy,
or validated, or verified. If your question is framed as
"when I give others access into the bank, how do I know
they won't steal money?", the response is "by not
letting them near the real money".  You set up a user for
the db that has the _bare_ minimum, and you never, ever,
use a cgi. or a script, that allows more rights to be
granted.

Put another way: It's a bad move to have suid root programs
available to the regular users for the same reason...

A better metaphor might be: You don't leave your housekeys
at the front door for the mailman to deliver the mail. You
may have a locked mailbox, and when you want to move
the mail, you unlock the box, and _then_ move it. The
user doesn't have privleges to dump bad data into the
secure tables, only insecure tables.

HTH,
-Bop

On Friday 14 January 2000, at 16 h 55, the keyboard of Jeff MacDonald
<jeff@hub.org> wrote:

>     make cgi dir 711
>     big deal, they can get the name of the file
>     from the web, and copy it.

My CGIs sources a config file, in mode 700, only readable by 'www' (the user
which executes Apache).

I adopted this after a CGI was inadvenrdently made available on the Web, in
source form :-)

If you have CGI authors you do not trust, have two Apache, with different IDs.

>     this is assuming they already have an account
>     on the machine, something that cannot be ruled
>     out.

Unix file protections are enough against local users.

> My CGIs sources a config file, in mode 700, only readable by 'www' (the user
> which executes Apache).

this option works, but not well if the user isn't root.


Jeff MacDonald
jeff@hub.org

===================================================================
 So long as the Universe had a beginning, we can suppose it had a
creator, but if the Universe is completly self contained , having
no boundry or edge, it would neither be created nor destroyed
 It would simply be.
===================================================================

On Monday 17 January 2000, at 11 h 18, the keyboard of Jeff MacDonald
<jeff@hub.org> wrote:

> > My CGIs sources a config file, in mode 700, only readable by 'www' (the user
> > which executes Apache).
>
> this option works, but not well if the user isn't root.

Can you elaborate? Of course, it works well and of course, the actual user is not root.

normal users are not allowed to chown files to oterh users..

On Mon, 17 Jan 2000, Stephane Bortzmeyer wrote:

> On Monday 17 January 2000, at 11 h 18, the keyboard of Jeff MacDonald
> <jeff@hub.org> wrote:
>
> > > My CGIs sources a config file, in mode 700, only readable by 'www' (the user
> > > which executes Apache).
> >
> > this option works, but not well if the user isn't root.
>
> Can you elaborate? Of course, it works well and of course, the actual user is not root.
>
>
>

Jeff MacDonald
jeff@hub.org

===================================================================
 So long as the Universe had a beginning, we can suppose it had a
creator, but if the Universe is completly self contained , having
no boundry or edge, it would neither be created nor destroyed
 It would simply be.
===================================================================

This really doesn't have anything to do with Postgres, but you guys may
want to look into the cgi-wrapper addon that comes with Apache.  I haven't
used it myself, but from what I understand it does a setuid to the user
whose home directory the CGI is in before executing it, thus having the
same file access permissions as that user.  Then it doesn't matter if other
people can run CGI scripts or have shell access, as unless they have the
password for the account of the CGI, they can't read it (as long as you
aren't an idiot in setting the file permissions.)  PHP3 has a similar
ability built in that can be turned on via the php3.ini file.

The problem with CGI security isn't so much a matter of people getting
shell access and playing around, it's more along the lines of writing a CGI
that executes a program such as find or cat as the web user, which would
enable them to list and display all the CGI's on the system, and their
config files.

At 12:02 PM 1/17/00, Stephane Bortzmeyer wrote:
>On Monday 17 January 2000, at 11 h 18, the keyboard of Jeff MacDonald
><jeff@hub.org> wrote:
>
> > > My CGIs sources a config file, in mode 700, only readable by 'www'
> (the user
> > > which executes Apache).
> >
> > this option works, but not well if the user isn't root.
>
>Can you elaborate? Of course, it works well and of course, the actual user
>is not root.
>
>
>
>
>************