no setuid for CGI scripts?
Toby Dickenson
tdickenson at devmail.geminidataloggers.co.uk
Mon Nov 5 09:17:36 EST 2001
(posted and cc'ed to robin)
Robin Becker <robin at jessikat.fsnet.co.uk> wrote:
I dont think thats safe
'system' uses many environment variables that could be used to change
the behavior of this program to be something other that what you
expected.
>here wrapper is a program that you create to be setuid in your
>name/group.
>
>my code for the wrapper looks like below. I only allow it to work for
>the owner and the nobody user.
>
>
>#include <stdio.h>
>#include <stdlib.h>
>#define SRCUID 1234 /*our UID so we can do things ourselves*/
>#define NOBID 65535 /*another possible ID (nobody*)/
>#define TGTUID 1234 /*the desired run UID*/
>#define TGTGID 7890 /*the desired run group*/
>#define TGTUSER "myusername"
>#define TGTHOME "/usr/home/" TGTUSER
>int main(int argc, char**argv)
>{
> size_t i, n=0;
> char *buf;
> n = getuid();
> if(n!=NOBID && n!=SRCUID) exit(-1);
> for(i=1;i<argc;i++) n += strlen(argv[i]);
> if(!n) exit(0);
> buf = malloc(n+argc+1);
> *buf = 0;
> for(i=1;i<argc;i++){
> if(i>1) strcat(buf," ");
> strcat(buf,argv[i]);
> }
> setuid(TGTUID);
> setgid(TGTGID); /*users*/
> setenv("USER",TGTUSER,1);
> setenv("HOME",TGTHOME,1);
> system(buf);
>}
Toby Dickenson
tdickenson at geminidataloggers.com
More information about the Python-list
mailing list