CGI Security

[zoom]

Just wondering why I'm able to create a cgi script that can browse the any of the files in the chroot environment?? Below are the settings I'm using for the server. The document root for the test website is owned by user other than the LSWS.

(Server) Enable chroot Yes
(VH) CGI Set UID Mode DocRoot UID
(VH) CGI Chroot Mode Same as Server

Context /cgi-bin/ is set as follows
Allow Set UID N/A

Why can I browse files in other directories? I should be locked into my doc root..

 

[mistwang]

I think it is a unix account security issue.

A private group should be created for each user, the root directory of each user should be owned by the user and the private group, perission should be 0750 or 0770. then only this user can read his own directory.

The user that web server running as should be member of the private groups of those users, so the web server can read all files.

Then a set-uid CGI script will not able to peak files of another user.

 

[zoom]

Yes,
But why can I browse files outside the chroot for LSWS. For example have a simple cgi script that can 'cat' the /etc/passwd file. The file has the following attributes

rw-r--r-- 1 root root 242 Dec 22 15:00 passwd

I'm guessing this is because the it's world readable. Still, bothers me that people within a shared environment can browse these types of files. Do they really need to be world readable??? Is there anyway to prevent it?

 

[mistwang]

Are you sure it is /etc/passwd out side the jail, not the /chroot/etc/passwd? If it is, then it is a bug means that the CGI has not been chroot properly.

As some application need to read /etc/passwd to work properly, so I don't recommend making it not world readable, you can fake a passwd file in the jail. Information in /etc/passwd is not very sensitive to me.

 

[zoom]

mistwang,
I'm referring to the passwd file located within the jail /chroot/etc/passwd. Take for example a very simple script as shown below.

echo "Content-type: text/plain; charset=iso-8859-1"
echo
echo CGI/1.0 test scriptt:
echo
echo `cat /etc/passwd`

Initially I was somewhat concerned that CGI scripts could read world readable files within the chroot. However, I'm not as worried now. Simply because I can control what binaries are available to users within the chroot. If users were able to get information from the httpd.conf etc it wouldn't be any good since they can't browse other virtual hosts outside of their own. Provided of course that each virtual host is running under a separate userid and has the corrrect file permissions. The only danger is that they have to potential to spot a misconfiguration, which could be exploited.