[lug] cgi shell
joem at uu.net
Mon Feb 3 18:04:22 MST 2003
On Mon, Feb 03, 2003 at 05:04:06PM -0700, Rob Riggs wrote:
> jd wrote:
> > Today at slashdot there is a write-up about
> >a cgi shell.
> >so i downloaded it and tried it...pretty scary, it allowed me
> >to get to / and go where ever I wanted. Is there a way to
> >allow users to have a cgi-bin but stop this sort of behavior?
> Anyone who can install CGI applications can grant anyone with access to
> the web server the same level of access that any CGI application has.
> This generally means the same level of access as the web server's EUID.
> The only way to limit the access is through something like CHROOT.
> There is a patch for Apache to do just this:
> http://home.iae.nl/users/devet/apache/chroot/ .
> In my experience, most web hosting services do not allow clients to
> install CGI applications on shared systems. Anyone needing CGI access
> generally has to rent a seperate server so that their security mistakes
> affect only them.
In our shared hosting environment, we set resource limits by running
a script first (denoted in our customers httpd.conf file) that set's
resource limits on the process about to get run. Apache has a module,
that will do the same thing, but if it's got mod_perl running, a user
has access to all of apache's internals and can set limits to whatever
mod_cgi and mod_include in this build of apache have been compiled
with our rbox software. It's implicitly called whenever a cgi
is called within the DocumentRoot or when a cgi is run inside server
By setting resource limits in a script before the CGI's execute, you
limit your exposure. A CGI can't bring down the whole box in a shared
env. Running stuff from the shell is another story, it's harder to
police, like what do you do if someone runs this:
from a bash shell (don't do it). Solaris has something called Resource
Manager which does a pretty good job of limiting users resources, but
I'm looking for something in Linux. Any suggestions?
More information about the LUG