Perl script in Linux allows users to spy on each other
Posted on 2005-05-05
I just did a little test and it scared me to death. If I make a simple perl script that does "cat /etc/passwd" I can see a list of all the users on my system. Of course I'm running this script from an unprivlidged user's cgi-bin and printing the output to the browser. This also allows me to see their home directories.
If I make another script that will "ls -l" their directories, this would allow one user to browse the contents of another user's directories and see a listing of all their files. This is horribly insecure and although I haven't tested, I suspect you could use a few more simple commands to gain access to scripts they may have uploaded to their cgi-bin. In that case, a user on my system could exploit programming errors made by another user.
Is there anything I can do to stop this from happening??? I just want to prevent users on my server from creating scripts that will allow them to snoop around the system.