More CGI Comments

Robert S. Thau ([email protected])
Sat, 8 Jan 94 18:15:43 EST


Date: Sat, 08 Jan 1994 14:26:35 -0800
From: "Roy T. Fielding" <[email protected]>

Just prior to reading this I was looking at a local notice about login
security. Thus, my first thought was what would happen if some user
created a script which deletes (recursively) all of the files in the
invokers home directory. Since the script would be executed under the
server's user ID (I think), would the script then delete all of the
server's subdirectories?

Depending on the local setup, it may or may not. For instance, you could
have all the server's files owned by, say, 'webmaster', and run the server
itself under the uid 'nobody'. The server's directories could then be
read-only to the server itself, and to any scripts which it happens to run.
However, this doesn't preclude other forms of mischief --- evasion of local
accounting rules, and so forth.

I'm not sure what would happen (I'm damn sure I don't want to test it),
but I think this question should be considered before allowing other
users to add scripts at will.

It's a matter of local policy, really --- specifically, how much trust you
have in your users. It's not an issue here, for instance, because people
here generally have write permission on the server's directories anyway.
If they want to destroy the server, nothing as messy as a trick script is
required.

Of course, we can afford to be that trusting because we don't have a large
population of potentially hostile users running directly on our machines.
People who aren't so blessed probably *shouldn't* allow users to add
scripts at will --- or should at least restrict the privilege to users who
aren't likely to abuse it. Any server which provides such a facility
should likewise provide the adminstrator with the tools to control it, via
access config files or the like.

(Incidentally, I don't think that any server should default to the sort of
wide-open configuration that I have running here --- it makes it too easy
for naive sysadmins to get into trouble. However, for those of us who can
use the option, it's very nice to have it).

....Roy Fielding ICS Grad Student, University of California, Irvine USA
([email protected])

rst