You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Steve <st...@iprimus.com.au> on 2002/11/24 01:08:28 UTC

[users@httpd] Re: CGI - Disable #!/bin/sh

 Hi,
     How do u stop a client from using like
 
 ---hack.cgi---
 #!/bin/sh
 echo "Cat all files in user2 dir"
 cat /home/web/users/user2/web/*
 --hack.cgi---
 
 This will allow someone to cat all the files of a user2's dir. Because all
 the files need to be readable by all for the webserver user www to be able
 to read the files this user will be able to read the files also..
 
 Is there anyway of making cgi to stay in its own directory and not allowed
 to go out of it.. or to stop it from running /bin/bash or something like
 that so it cant view other users files..
 
 /Steve


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: CGI - Disable #!/bin/sh

Posted by Zac Stevens <zt...@cryptocracy.com>.

On Mon, Nov 25, 2002 at 12:11:10AM +1100, Steve wrote:
> Ok ive been looking around the net on how to make cgi secure so u can give
> it to untrusted users..
> 
> Ive heard of a sbox that allows this.. anyone else heard of it?
> 
> or anyone know where there is any other things that can help?

Yes, searching the archives would be a good start.  You can read about it
at http://stein.cshl.org/~lstein/sbox/

Sbox or suexec are, in my opinion, essential for web hosting environments.
Running everything as a sandboxed user (eg, "nobody", or "http") might
protect your system, but if won't protect your customers from each other.

Both suexec and sbox work by extending the unix security model to the
webserver environment.

To be perfectly frank, from the nature of the questions you've been asking
the past week or so I think you'd be best served by getting hold of a unix
administration book with a good section on local security.  Once you
understand the fundamentals, you'll find much of the web-specific stuff to
be self-evident.

HTH,

Zac

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: CGI - Disable #!/bin/sh

Posted by Steve <st...@iprimus.com.au>.

Ok ive been looking around the net on how to make cgi secure so u can give
it to untrusted users..

Ive heard of a sbox that allows this.. anyone else heard of it?

or anyone know where there is any other things that can help?

/Steve

----- Original Message -----
From: "Lewis Watson" <li...@visionsix.com>
To: <us...@httpd.apache.org>
Sent: Sunday, November 24, 2002 5:03 PM
Subject: Re: [users@httpd] Re: CGI - Disable #!/bin/sh


> > > ----- Original Message -----
> > > From: "Steve" <st...@iprimus.com.au>
> > > To: <us...@httpd.apache.org>
> > > Sent: Saturday, November 23, 2002 10:55 PM
> > > Subject: Re: [users@httpd] Re: CGI - Disable #!/bin/sh
> > > >
> > > > How do u install php as cgi?
> > > >
> > > > Ive looked and looked but i cant find any install instructions
> > > >
> > > > /Steve
> > >
> > >
> > > Hi Steve,
> > > The links below have some good information for php as a cgi
> > > http://www.php.net/manual/en/install.commandline.php
> > >
> > > http://www.php.net/manual/en/security.cgi-bin.php
> > >
> > > It's really a straight forward install for php as a cgi.
> > > hth,
> > > Lewis
> > >
>
>
>
> ----- Original Message -----
> From: "Steve" <st...@iprimus.com.au>
> To: <us...@httpd.apache.org>
> Sent: Saturday, November 23, 2002 11:37 PM
> Subject: Re: [users@httpd] Re: CGI - Disable #!/bin/sh
>
> > Ive looked at them links over and over
> >
> > where does it tell u what to do?? like how to install it?
>
>
> Hi Steve,
> The first two sentences of the first link:
>
> "The default is to build PHP as a CGI program. This creates a commandline
> interpreter, which can be used for CGI processing, or for non-web-related
> PHP scripting."
>
> This means that a standard install will install as the cgi version. If you
> are on a *nix go to the Unix install page.
> http://www.php.net/manual/en/install.apache.php#install.apache.unix
>
> If you are on Windows, then go to the Windows install pages for further
> information.
> http://www.php.net/manual/en/install.apache.php#install.apache.windows
>
> Before you install either one I would seriously go back and reread the
pages
> regarding *security* and your OS of the server you want to build php on.
The
> actual php manual begins here:
> http://www.php.net/manual/en/
>
> Also, a complete list of install configuration options are here:
> http://www.php.net/manual/en/install.configure.php
> hth,
> Lewis
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: CGI - Disable #!/bin/sh

Posted by Lewis Watson <li...@visionsix.com>.

> > ----- Original Message -----
> > From: "Steve" <st...@iprimus.com.au>
> > To: <us...@httpd.apache.org>
> > Sent: Saturday, November 23, 2002 10:55 PM
> > Subject: Re: [users@httpd] Re: CGI - Disable #!/bin/sh
> > >
> > > How do u install php as cgi?
> > >
> > > Ive looked and looked but i cant find any install instructions
> > >
> > > /Steve
> >
> >
> > Hi Steve,
> > The links below have some good information for php as a cgi
> > http://www.php.net/manual/en/install.commandline.php
> >
> > http://www.php.net/manual/en/security.cgi-bin.php
> >
> > It's really a straight forward install for php as a cgi.
> > hth,
> > Lewis
> >



----- Original Message -----
From: "Steve" <st...@iprimus.com.au>
To: <us...@httpd.apache.org>
Sent: Saturday, November 23, 2002 11:37 PM
Subject: Re: [users@httpd] Re: CGI - Disable #!/bin/sh

> Ive looked at them links over and over
>
> where does it tell u what to do?? like how to install it?


Hi Steve,
The first two sentences of the first link:

"The default is to build PHP as a CGI program. This creates a commandline
interpreter, which can be used for CGI processing, or for non-web-related
PHP scripting."

This means that a standard install will install as the cgi version. If you
are on a *nix go to the Unix install page.
http://www.php.net/manual/en/install.apache.php#install.apache.unix

If you are on Windows, then go to the Windows install pages for further
information.
http://www.php.net/manual/en/install.apache.php#install.apache.windows

Before you install either one I would seriously go back and reread the pages
regarding *security* and your OS of the server you want to build php on. The
actual php manual begins here:
http://www.php.net/manual/en/

Also, a complete list of install configuration options are here:
http://www.php.net/manual/en/install.configure.php
hth,
Lewis




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: CGI - Disable #!/bin/sh

Posted by Steve <st...@iprimus.com.au>.

Ive looked at them links over and over

where does it tell u what to do?? like how to install it?
----- Original Message -----
From: "Lewis Watson" <li...@visionsix.com>
To: <us...@httpd.apache.org>
Sent: Sunday, November 24, 2002 3:57 PM
Subject: Re: [users@httpd] Re: CGI - Disable #!/bin/sh


>
> ----- Original Message -----
> From: "Steve" <st...@iprimus.com.au>
> To: <us...@httpd.apache.org>
> Sent: Saturday, November 23, 2002 10:55 PM
> Subject: Re: [users@httpd] Re: CGI - Disable #!/bin/sh
> >
> > How do u install php as cgi?
> >
> > Ive looked and looked but i cant find any install instructions
> >
> > /Steve
>
>
> Hi Steve,
> The links below have some good information for php as a cgi
> http://www.php.net/manual/en/install.commandline.php
>
> http://www.php.net/manual/en/security.cgi-bin.php
>
> It's really a straight forward install for php as a cgi.
> hth,
> Lewis
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: CGI - Disable #!/bin/sh

Posted by Lewis Watson <li...@visionsix.com>.

----- Original Message ----- 
From: "Steve" <st...@iprimus.com.au>
To: <us...@httpd.apache.org>
Sent: Saturday, November 23, 2002 10:55 PM
Subject: Re: [users@httpd] Re: CGI - Disable #!/bin/sh
> 
> How do u install php as cgi?
> 
> Ive looked and looked but i cant find any install instructions
> 
> /Steve


Hi Steve,
The links below have some good information for php as a cgi
http://www.php.net/manual/en/install.commandline.php

http://www.php.net/manual/en/security.cgi-bin.php

It's really a straight forward install for php as a cgi.
hth,
Lewis



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: CGI - Disable #!/bin/sh

Posted by Steve <st...@iprimus.com.au>.

Ok fair enough..

How do u install php as cgi?

Ive looked and looked but i cant find any install instructions

/Steve
----- Original Message -----
From: "Joshua Slive" <jo...@slive.ca>
To: <us...@httpd.apache.org>
Sent: Sunday, November 24, 2002 2:27 PM
Subject: Re: [users@httpd] Re: CGI - Disable #!/bin/sh


>
>
> On Sun, 24 Nov 2002, Steve wrote:
>
> > Ive got it installed..
> >
> > but it there a way u can bypass the uid and gid checks..
> >
> > My Web users are not in /etc/passwd.. so suexec is spitting out invalid
> > user...
> >
> > Is there a way u can get apache to use a different passwd file or
somethig?
>
> No.  suexec is based on the unix security model.
>
> If you are not giving unix accounts to your users, then you really
> shouldn't be letting them run arbitrary cgi scripts.  There is no way
> you're going to be able to properly isolate them.
>
> Joshua.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: CGI - Disable #!/bin/sh

Posted by Joshua Slive <jo...@slive.ca>.


On Sun, 24 Nov 2002, Steve wrote:

> Ive got it installed..
>
> but it there a way u can bypass the uid and gid checks..
>
> My Web users are not in /etc/passwd.. so suexec is spitting out invalid
> user...
>
> Is there a way u can get apache to use a different passwd file or somethig?

No.  suexec is based on the unix security model.

If you are not giving unix accounts to your users, then you really
shouldn't be letting them run arbitrary cgi scripts.  There is no way
you're going to be able to properly isolate them.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: CGI - Disable #!/bin/sh

Posted by Steve <st...@iprimus.com.au>.

Ive got it installed..

but it there a way u can bypass the uid and gid checks..

My Web users are not in /etc/passwd.. so suexec is spitting out invalid
user...

Is there a way u can get apache to use a different passwd file or somethig?
----- Original Message -----
From: "Lewis Watson" <li...@visionsix.com>
To: <us...@httpd.apache.org>
Sent: Sunday, November 24, 2002 11:31 AM
Subject: Re: [users@httpd] Re: CGI - Disable #!/bin/sh


> ----- Original Message -----
> From: "Steve" <st...@iprimus.com.au>
> To: <us...@httpd.apache.org>
> Sent: Saturday, November 23, 2002 6:08 PM
> Subject: [users@httpd] Re: CGI - Disable #!/bin/sh
>
>
> > Hi,
> >      How do u stop a client from using like
> >
> >  ---hack.cgi---
> >  #!/bin/sh
> >  echo "Cat all files in user2 dir"
> >  cat /home/web/users/user2/web/*
> >  --hack.cgi---
> >
> >  This will allow someone to cat all the files of a user2's dir. Because
> all
> >  the files need to be readable by all for the webserver user www to be
> able
> >  to read the files this user will be able to read the files also..
> >
> >  Is there anyway of making cgi to stay in its own directory and not
> allowed
> >  to go out of it.. or to stop it from running /bin/bash or something
like
> >  that so it cant view other users files..
> >
> >  /Steve
>
>
> Hi Steve.
> Suexec should do what you want..
> http://httpd.apache.org/docs/suexec.html
> hth,
> Lewis
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: CGI - Disable #!/bin/sh

Posted by Lewis Watson <li...@visionsix.com>.

----- Original Message -----
From: "Steve" <st...@iprimus.com.au>
To: <us...@httpd.apache.org>
Sent: Saturday, November 23, 2002 6:08 PM
Subject: [users@httpd] Re: CGI - Disable #!/bin/sh


> Hi,
>      How do u stop a client from using like
>
>  ---hack.cgi---
>  #!/bin/sh
>  echo "Cat all files in user2 dir"
>  cat /home/web/users/user2/web/*
>  --hack.cgi---
>
>  This will allow someone to cat all the files of a user2's dir. Because
all
>  the files need to be readable by all for the webserver user www to be
able
>  to read the files this user will be able to read the files also..
>
>  Is there anyway of making cgi to stay in its own directory and not
allowed
>  to go out of it.. or to stop it from running /bin/bash or something like
>  that so it cant view other users files..
>
>  /Steve


Hi Steve.
Suexec should do what you want..
http://httpd.apache.org/docs/suexec.html
hth,
Lewis


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org