Date: Wed, 18 Nov 1998 12:56:30 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Per Kristian Hove <perhov@phys.ntnu.no> Cc: freebsd-security@FreeBSD.ORG Subject: Re: pkhttpd (Was: Would this make FreeBSD more secure?) Message-ID: <Pine.BSF.3.96.981118125342.2507A-100000@fledge.watson.org> In-Reply-To: <Pine.GSO.3.96.981118173434.7124H-100000@huset.math.ntnu.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 18 Nov 1998, Per Kristian Hove wrote: > pkhttpd is a minimalist (compiled binary: 12KB) web server intended to be > run from inetd (or djb's tcpserver). It was written for the PicoBSD > project, as the minimalist web server they already had, has a very > restrictive license. I (being the author) am of course biased, and would > claim that it is fairly secure, but as I'm not a security programmer (just > security-concerned), I could need some help. Is someone on this mailing > list interested in helping? All you have to do is read through the ~250 > lines of code and see if you find any weaknesses (I'm sure you will) or > holes. Both I and the PicoBSD project would be very thankful. This sounds great. > As for its features: > - It handles 'GET' and 'HEAD' requests and does cgi. > - It logs the date, IP-address and name of requested file of every > connection. > - When run as root, it runs in a chroot()'ed environment. It runs > cgi programs with the user-id of the owner of the program (and never as > root). > - When run as an ordinary user, it runs in a subdirectory of the user's > home. Your other files should be relatively safe, since it > - doesn't allow '..' in file names/cgi programs. This may be vulnerable to hard-link attacks. That is, if there is an untrusted user with an account on the system, and their home directory is on the same partition as some setuid binary, they can hard link to it. The same goes for any binary, of course. It might be desirable to require the uid of the binary to be the same as the directory it is in (no hard linking directories for non-root), or to require that the link count be 1 for the binary (this is not always good, and in the event of a system upgrade is not always telling -- see below) BTW, this is always a problem when upgrading buggy setuid binaries, and is a good reason to keep an eye on your daily security mailing. That a user can preserve setuid programs across an OS upgrade is somewhat unfortunate, but given hard links, hard to prevent :). Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981118125342.2507A-100000>