no setuid for CGI scripts?

[Toby Dickenson]

(posted and cc'ed to robin)

Robin Becker <robin at jessikat.fsnet.co.uk> wrote:

I dont think thats safe

'system' uses many environment variables that could be used to change
the behavior of this program to be something other that what you
expected.

>here wrapper is a program that you create to be setuid in your
>name/group.
>
>my code for the wrapper looks like below. I only allow it to work for
>the owner and the nobody user. 
>
>
>#include <stdio.h>
>#include <stdlib.h>
>#define SRCUID 1234 /*our UID so we can do things ourselves*/
>#define NOBID  65535 /*another possible ID (nobody*)/
>#define TGTUID 1234 /*the desired run UID*/
>#define TGTGID 7890 /*the desired run group*/
>#define TGTUSER "myusername"
>#define TGTHOME "/usr/home/" TGTUSER
>int main(int argc, char**argv)
>{
>        size_t  i, n=0;
>        char *buf;
>        n = getuid();
>        if(n!=NOBID && n!=SRCUID) exit(-1);
>        for(i=1;i<argc;i++) n += strlen(argv[i]);
>        if(!n) exit(0);
>        buf = malloc(n+argc+1);
>        *buf = 0;
>        for(i=1;i<argc;i++){
>                if(i>1) strcat(buf," ");
>                strcat(buf,argv[i]);
>                }
>        setuid(TGTUID);
>        setgid(TGTGID); /*users*/
>        setenv("USER",TGTUSER,1);
>        setenv("HOME",TGTHOME,1);
>        system(buf);
>}



Toby Dickenson
tdickenson at geminidataloggers.com