You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Andrew Ho <an...@tellme.com> on 2001/03/02 00:35:05 UTC

Re: [OT] security!

Hello,

GR>By looking the way modperl works today, it's clearly it were not
GR>desgined to SECURELY support a multi-user environment. For instance: Any
GR>user can write a script that will be able to read any file owned by the
GR>httpd server, in a multi-user environment it should not be allowed.

This is a general Unix webserver issue and not specific to mod_perl, so
I've marked your message [OT] for off-topic.

You cannot easily avoid this problem in general.
(1) HTTP requests can come from anybody.
(2) All HTTP requests are serviced by the same webserver.
(3) The webserver needs to be able to read and execute scripts.

Therefore, in general if untrusted users can write webserver executed
scripts, they can read anything the webserver can.

GR>A gentle way to prevent this would be not to allow a script read a file
GR>whose owner id is not the same from the script owner id, isn't it?

This is fine, but you're talking about revamping Unix permissions here,
not at the webserver level. The webserver cannot enforce this condition
because the webserver only runs the script, it is not the OS that the
script runs on.

GR>Another problem: process creation should be wrapped by apache suexec
GR>mechanism, is it currently done this way? Why not?

This could help sidestep the issue. It is not done this way by default,
because even using suexec doesn't automatically make your scripts secure,
and in fact it can make the situation worse.

GR>May some here confirm me that if i am a security concious admin, i
GR>should not make modperl+embperl available to my user?

If you are a security conscious admin, and you cannot trust your users,
you should not make mod_perl available to them. In fact you should not
make any dynamic HTTP functionality available to them--CGI, ISAPI,
FastCGI, or anything else.

Humbly,

Andrew

----------------------------------------------------------------------
Andrew Ho               http://www.tellme.com/       andrew@tellme.com
Engineer                   info@tellme.com          Voice 650-930-9062
Tellme Networks, Inc.       1-800-555-TELL            Fax 650-930-9101
----------------------------------------------------------------------