[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

CGI script SUID?

Posted on 1998-03-22
5
Medium Priority
?
343 Views
Last Modified: 2013-12-25
Hi,

I would like a to make a script that makes it possible for users to change their .forward file through a HTML interface. I have no trouble programming this, but to open the .forward files for write, I need to SUID to the
users UID (or SUID root and then chown the file afterwards). I'm using apache 1.2.5, which doesn't execute
scripts with the SUID bit set. Does anybody know a solution for this? I've looked into the suexec wrapper, but there doesn't seem to be a method to suid to a UID depending on who has logged into the webpage.
0
Comment
Question by:alexbik
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 5

Expert Comment

by:n0thing
ID: 1832190
One simple way to deal with the above problem is to create a special group and change all the .forward file to rw-rw---- so any scripts with that GID could edit that file. But it has a potential problem if the owner of the .forward file change the permission to 600 again. I've looked at the suexec wrapper, the docs says it must be install as root and have the SUID bit set to on. Unfortunately, it doesn't allow you  to modify anything not under the DocumentRoot dir. Another solution would be adding the changes to a file
with the format "user:email addr" then every 5, 10 minutes ...run a cron job as root to read that file and edit the user's .forward file accordingly.

Regards,
Minh Lai
0
 
LVL 2

Author Comment

by:alexbik
ID: 1832191
Hi,

I've looked into a group-based solution, but this is not acceptable to me.
The problem is that a user can also put a .forward in his homedir through
ftp or telnet. It is owned by the user, goup users. In this way I cannot access
the file for write anymore from my script if I would do It on a group basis.
I cannot use the group 'users' for this purpose, or all users will be able toe
change other users' .forward files.

The thought of running a cron job processing the files once every few minutes
crossed my mind, but it's a bit messy I would like the changes to be processed
right away.

If no one comes up with a better solution I'll give you the points.

Alex.
0
 
LVL 2

Accepted Solution

by:
eckspurt earned 450 total points
ID: 1832192
Apache does allow you to have suid CGI programs.

You're right that there's nothing ready-made to set the effective user in a CGI suid wrapper, but if the wrapper is suid root, it will be allowed to edit any user's .forward file.  Make sure, of course, that you've restricted access based on user first!

The best thing to do would probably be to edit the suid wrapper to check who the user is authenticated as (which you get as a CGI environment variable), then set the effective user to be that.  You still run the wrapper suid root (only root can change the effective user), but it slightly limits the potential damage a malicious user could do.  

You didn't say what language you're writing your CGI in, but it would be best to do the whole thing in C or Safe Perl so you can suid only the file that contains the function you need the effective user changed for (writing a user's .forward file).

0
 
LVL 2

Author Comment

by:alexbik
ID: 1832193
Hi,

I'm writing the script in perl. If I make the script SUID root, I get an 500.
Here's what the logfile says:

Can't do setuid
[Wed Apr  1 19:40:06 1998] access to /var/http/cgi-bin/test.pl failed for xxxxx.xxxx.nl, reason: Premature end of script headers

Apearantly Apache refuses to run suid perlscripts. It may be possible to do it in C though, but that gives me the following problem: I don't want to write the whole script in C. If I write only the part that creates the .forward in C, I need to pass the content, the username and the filename (or only the username and the content) on to the C code. There's a potential security risk, because I have no way of checking that the script is started by the CGI script (meaning the user is already authenticated).  Or is there? (I can get around in perl, but I'm really no C programmer).

Alex
0
 
LVL 2

Author Comment

by:alexbik
ID: 1832194
Hi,

I've come up with a solution to the problem. A friend of mine wrote a C program
that reads the CGI data, compares the username I pass him from my perl script
with the username in the REMOTE_USER environment var, writes the file,
and chowns it to the users' UID. Since this is C code, it can be executed SUID.
The program is owned by root.www, permissions 4550. In this way it can only be
executed by the webserver. Since it is in a .htaccess secured directory, only
authenticated users can use it. The parameters passed from the HTML form are
checked against the environment var, to prevent misuse of the program.

Thanks anyway.

Alex.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This tutorial will give you a fast look what you can do with WhizBase. I expect you already know how to work with HTML at least, and that you understand the basics of the internet and how the internet works. WhizBase is a server-s…
I hope you'll find this tutorial useful and interesting. So let's try to extend Tcl with a new package.  For anyone more deeply interested please check out the book "Practical Programming in Tcl and Tk". It's really one of the best written books abo…
Learn the basics of lists in Python. Lists, as their name suggests, are a means for ordering and storing values. : Lists are declared using brackets; for example: t = [1, 2, 3]: Lists may contain a mix of data types; for example: t = ['string', 1, T…
Learn the basics of if, else, and elif statements in Python 2.7. Use "if" statements to test a specified condition.: The structure of an if statement is as follows: (CODE) Use "else" statements to allow the execution of an alternative, if the …
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question