You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Boyle Owen <Ow...@swx.com> on 2002/08/02 10:50:05 UTC
RE: Restricting types of CGI programs
>From: Lee [mailto:lee@unassemble.co.uk]
>
>I would like to try and restrict the types of CGI scripts that
>can be run
>from my webserver (Apache 1.3.26 & 1.3.26 with mod_ssl
>running on FreeBSD
>4.6). Does anyone know if this is possible?
>Basically I want to restrict users to only being able to run
>Perl scripts.
I can't think of an easy way to do this... The CGI engine just grabs the file and passes it to the OS which tries to execute it - whether it loads an interpreter (perl or shell-script) or executes it directly (compiled binary) depends on the file contents. Apache deson't have the capability to look into the file and recognise its architecture.
A workaround would be to write a program which would:
- parse httpd.conf to find the locations of all CGI progs (ScriptAlias or AddHandler lines)
- read each CGI prog and, using clever pattern matching, decide if it is a "legal" program
- if it finds an "illegal" program, remove it, or (less draconian) switch off the execute permission and alert the admin (You).
This monitor program could be invoked to run every minute by crond or could be a daemon...
Presumably you want to do this so you can audit their code and check they are not doing anything dangerous? Be warned that anything you can do in C, you can do in Perl - there is nothing intrinsically "safe" about Perl. Also, regards readability, there used to be a competition in the Perl Journal where contestants had to write a program which looked like it did one thing but, in fact, did another. Failing that, they got points for a program which was impossible to read. This was the Obfuscated Perl Contest. So I wouldn't be too confident that you will always be able to screen out dodgy code - it is quite easy to make write-only Perl :-)
Rgds,
Owen Boyle
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Restricting types of CGI programs
Posted by Lee <le...@unassemble.co.uk>.
Sorry, my memory is playing up again. The script I used was as follows
#!/bin/sh
echo "Content-Type: text/plain"
echo
echo
ls -l
This works fine on my own apache web server.
----- Original Message -----
From: "Lee" <le...@unassemble.co.uk>
To: <us...@httpd.apache.org>
Sent: Friday, August 02, 2002 10:10 AM
Subject: Re: Restricting types of CGI programs
> Cheers for that.
>
> I was just curious as to if/how it was possible.
>
> I had a site hosted on a FreeBSD server once and I was then running Perl
> scripts (which ran fine) but then I wanted to see if would run any others,
> such as sh or bash. When I tried I just got "Internal Server Error", as
> far as I could tell the scripts were correct, in fact all one particular
one
> did was
>
> #!/bin/sh
> ls -l
>
> And that was it.
>
> Regards Lee
>
> ----- Original Message -----
> From: "Boyle Owen" <Ow...@swx.com>
> To: <us...@httpd.apache.org>
> Sent: Friday, August 02, 2002 9:50 AM
> Subject: RE: Restricting types of CGI programs
>
>
> >From: Lee [mailto:lee@unassemble.co.uk]
> >
> >I would like to try and restrict the types of CGI scripts that
> >can be run
> >from my webserver (Apache 1.3.26 & 1.3.26 with mod_ssl
> >running on FreeBSD
> >4.6). Does anyone know if this is possible?
> >Basically I want to restrict users to only being able to run
> >Perl scripts.
>
> I can't think of an easy way to do this... The CGI engine just grabs the
> file and passes it to the OS which tries to execute it - whether it loads
an
> interpreter (perl or shell-script) or executes it directly (compiled
binary)
> depends on the file contents. Apache deson't have the capability to look
> into the file and recognise its architecture.
>
> A workaround would be to write a program which would:
>
> - parse httpd.conf to find the locations of all CGI progs (ScriptAlias or
> AddHandler lines)
> - read each CGI prog and, using clever pattern matching, decide if it is a
> "legal" program
> - if it finds an "illegal" program, remove it, or (less draconian) switch
> off the execute permission and alert the admin (You).
>
> This monitor program could be invoked to run every minute by crond or
could
> be a daemon...
>
> Presumably you want to do this so you can audit their code and check they
> are not doing anything dangerous? Be warned that anything you can do in C,
> you can do in Perl - there is nothing intrinsically "safe" about Perl.
Also,
> regards readability, there used to be a competition in the Perl Journal
> where contestants had to write a program which looked like it did one
thing
> but, in fact, did another. Failing that, they got points for a program
which
> was impossible to read. This was the Obfuscated Perl Contest. So I
wouldn't
> be too confident that you will always be able to screen out dodgy code -
it
> is quite easy to make write-only Perl :-)
>
> Rgds,
>
> Owen Boyle
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Restricting types of CGI programs
Posted by Lee <le...@unassemble.co.uk>.
Cheers for that.
I was just curious as to if/how it was possible.
I had a site hosted on a FreeBSD server once and I was then running Perl
scripts (which ran fine) but then I wanted to see if would run any others,
such as sh or bash. When I tried I just got "Internal Server Error", as
far as I could tell the scripts were correct, in fact all one particular one
did was
#!/bin/sh
ls -l
And that was it.
Regards Lee
----- Original Message -----
From: "Boyle Owen" <Ow...@swx.com>
To: <us...@httpd.apache.org>
Sent: Friday, August 02, 2002 9:50 AM
Subject: RE: Restricting types of CGI programs
>From: Lee [mailto:lee@unassemble.co.uk]
>
>I would like to try and restrict the types of CGI scripts that
>can be run
>from my webserver (Apache 1.3.26 & 1.3.26 with mod_ssl
>running on FreeBSD
>4.6). Does anyone know if this is possible?
>Basically I want to restrict users to only being able to run
>Perl scripts.
I can't think of an easy way to do this... The CGI engine just grabs the
file and passes it to the OS which tries to execute it - whether it loads an
interpreter (perl or shell-script) or executes it directly (compiled binary)
depends on the file contents. Apache deson't have the capability to look
into the file and recognise its architecture.
A workaround would be to write a program which would:
- parse httpd.conf to find the locations of all CGI progs (ScriptAlias or
AddHandler lines)
- read each CGI prog and, using clever pattern matching, decide if it is a
"legal" program
- if it finds an "illegal" program, remove it, or (less draconian) switch
off the execute permission and alert the admin (You).
This monitor program could be invoked to run every minute by crond or could
be a daemon...
Presumably you want to do this so you can audit their code and check they
are not doing anything dangerous? Be warned that anything you can do in C,
you can do in Perl - there is nothing intrinsically "safe" about Perl. Also,
regards readability, there used to be a competition in the Perl Journal
where contestants had to write a program which looked like it did one thing
but, in fact, did another. Failing that, they got points for a program which
was impossible to read. This was the Obfuscated Perl Contest. So I wouldn't
be too confident that you will always be able to screen out dodgy code - it
is quite easy to make write-only Perl :-)
Rgds,
Owen Boyle
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org