Date: Wed, 18 Nov 1998 23:13:10 +0100 (MET) From: Per Kristian Hove <perhov@phys.ntnu.no> To: freebsd-security@FreeBSD.ORG Subject: Re: pkhttpd (Was: Would this make FreeBSD more secure?) Message-ID: <Pine.GSO.3.96.981118225352.14196C-100000@huset.math.ntnu.no> In-Reply-To: <Pine.BSF.3.96.981118125342.2507A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 18 Nov 1998, Robert Watson wrote: > > - When run as root, it runs in a chroot()'ed environment. It runs > > cgi programs with the user-id of the owner of the program (and never as > > root). > > - When run as an ordinary user, it runs in a subdirectory of the user's > > home. Your other files should be relatively safe, since it > > - doesn't allow '..' in file names/cgi programs. > > This may be vulnerable to hard-link attacks. That is, if there is an > untrusted user with an account on the system, and their home directory is > on the same partition as some setuid binary, they can hard link to it. > The same goes for any binary, of course. It might be desirable to require > the uid of the binary to be the same as the directory it is in (no hard > linking directories for non-root), or to require that the link count be 1 > for the binary (this is not always good, and in the event of a system > upgrade is not always telling -- see below) > BTW, this is always a problem when upgrading buggy setuid binaries, and is > a good reason to keep an eye on your daily security mailing. That a user > can preserve setuid programs across an OS upgrade is somewhat unfortunate, > but given hard links, hard to prevent :). All these things are good reasons to not let users have write permission in any directory of a partition that contains setuid binaries. After all, why should you (or they) need that? I certainly don't allow my users to do that. I see your point, but it is easy to avoid. It *is* a minimalist's choice (not a replacement for a fully functional server), and it is really not very well suited as web server for your users. Note that it will not search the users homedir when you ask it for www.foo.org/~user/. I would run the server chroot()'ed to /var/httpd (and I dont have any setuid binaries on /var), and give away directories under /var/httpd/html/ to users if they were in need of putting something on the web. Note that I still run the risk of the user having a cgi that's essentially #!/bin/sh "$@" but that's a risk you take when letting users onto your system. link count == 1 sounds like a good idea. -- per kristian <perhov@phys.ntnu.no> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.3.96.981118225352.14196C-100000>