Solved

CGI script SUID?

Posted on 1998-03-22
5
294 Views
Last Modified: 2013-12-25
Hi,

I would like a to make a script that makes it possible for users to change their .forward file through a HTML interface. I have no trouble programming this, but to open the .forward files for write, I need to SUID to the
users UID (or SUID root and then chown the file afterwards). I'm using apache 1.2.5, which doesn't execute
scripts with the SUID bit set. Does anybody know a solution for this? I've looked into the suexec wrapper, but there doesn't seem to be a method to suid to a UID depending on who has logged into the webpage.
0
Comment
Question by:alexbik
  • 3
5 Comments
 
LVL 5

Expert Comment

by:n0thing
ID: 1832190
One simple way to deal with the above problem is to create a special group and change all the .forward file to rw-rw---- so any scripts with that GID could edit that file. But it has a potential problem if the owner of the .forward file change the permission to 600 again. I've looked at the suexec wrapper, the docs says it must be install as root and have the SUID bit set to on. Unfortunately, it doesn't allow you  to modify anything not under the DocumentRoot dir. Another solution would be adding the changes to a file
with the format "user:email addr" then every 5, 10 minutes ...run a cron job as root to read that file and edit the user's .forward file accordingly.

Regards,
Minh Lai
0
 
LVL 2

Author Comment

by:alexbik
ID: 1832191
Hi,

I've looked into a group-based solution, but this is not acceptable to me.
The problem is that a user can also put a .forward in his homedir through
ftp or telnet. It is owned by the user, goup users. In this way I cannot access
the file for write anymore from my script if I would do It on a group basis.
I cannot use the group 'users' for this purpose, or all users will be able toe
change other users' .forward files.

The thought of running a cron job processing the files once every few minutes
crossed my mind, but it's a bit messy I would like the changes to be processed
right away.

If no one comes up with a better solution I'll give you the points.

Alex.
0
 
LVL 2

Accepted Solution

by:
eckspurt earned 150 total points
ID: 1832192
Apache does allow you to have suid CGI programs.

You're right that there's nothing ready-made to set the effective user in a CGI suid wrapper, but if the wrapper is suid root, it will be allowed to edit any user's .forward file.  Make sure, of course, that you've restricted access based on user first!

The best thing to do would probably be to edit the suid wrapper to check who the user is authenticated as (which you get as a CGI environment variable), then set the effective user to be that.  You still run the wrapper suid root (only root can change the effective user), but it slightly limits the potential damage a malicious user could do.  

You didn't say what language you're writing your CGI in, but it would be best to do the whole thing in C or Safe Perl so you can suid only the file that contains the function you need the effective user changed for (writing a user's .forward file).

0
 
LVL 2

Author Comment

by:alexbik
ID: 1832193
Hi,

I'm writing the script in perl. If I make the script SUID root, I get an 500.
Here's what the logfile says:

Can't do setuid
[Wed Apr  1 19:40:06 1998] access to /var/http/cgi-bin/test.pl failed for xxxxx.xxxx.nl, reason: Premature end of script headers

Apearantly Apache refuses to run suid perlscripts. It may be possible to do it in C though, but that gives me the following problem: I don't want to write the whole script in C. If I write only the part that creates the .forward in C, I need to pass the content, the username and the filename (or only the username and the content) on to the C code. There's a potential security risk, because I have no way of checking that the script is started by the CGI script (meaning the user is already authenticated).  Or is there? (I can get around in perl, but I'm really no C programmer).

Alex
0
 
LVL 2

Author Comment

by:alexbik
ID: 1832194
Hi,

I've come up with a solution to the problem. A friend of mine wrote a C program
that reads the CGI data, compares the username I pass him from my perl script
with the username in the REMOTE_USER environment var, writes the file,
and chowns it to the users' UID. Since this is C code, it can be executed SUID.
The program is owned by root.www, permissions 4550. In this way it can only be
executed by the webserver. Since it is in a .htaccess secured directory, only
authenticated users can use it. The parameters passed from the HTML form are
checked against the environment var, to prevent misuse of the program.

Thanks anyway.

Alex.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
User profile Size Report 3 84
script issue to add permissions to the registry hive 2 43
exchange ,script 10 52
Remove all hidden metadata properties of MS .Docx Files 7 46
Making a simple AJAX shopping cart Couple years ago I made my first shopping cart, I used iframe and JavaScript, it was very good at that time, there were no sessions or AJAX, I used cookies on clients machine. Today we have more advanced techno…
In threads here at EE, each comment has a unique Identifier (ID). It is easy to get the full path for an ID via the right-click context menu. However, we often want to post a short link within a thread rather than the full link. This article shows a…
Learn the basics of modules and packages in Python. Every Python file is a module, ending in the suffix: .py: Modules are a collection of functions and variables.: Packages are a collection of modules.: Module functions and variables are accessed us…
The viewer will learn how to dynamically set the form action using jQuery.

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question