[lug] cgi shell

Joseph McDonald joem at uu.net
Mon Feb 3 18:04:22 MST 2003 

On Mon, Feb 03, 2003 at 05:04:06PM -0700, Rob Riggs wrote:
> jd wrote:
> 
> >Hello,
> > Today at slashdot there is a write-up about
> >a cgi shell.
> >http://slashdot.org/article.pl?sid=03/02/03/1531246&mode=thread&tid=162&tid=156
> >
> >so i downloaded it and tried it...pretty scary, it allowed me
> >to get to / and go where ever I wanted. Is there a way to
> >allow users to have a cgi-bin but stop this sort of behavior?
> >
> >  
> >
> Anyone who can install CGI applications can grant anyone with access to 
> the web server the same level of access that any CGI application has. 
>  This generally means the same level of access as the web server's EUID. 
> The only way to limit the access is through something like CHROOT. 
>  There is a patch for Apache to do just this: 
> http://home.iae.nl/users/devet/apache/chroot/ .
> 
> In my experience, most web hosting services do not allow clients to 
> install CGI applications on shared systems.  Anyone needing CGI access 
> generally has to rent a seperate server so that their security mistakes 
> affect only them.

In our shared hosting environment, we set resource limits by running
a script first (denoted in our customers httpd.conf file) that set's
resource limits on the process about to get run. Apache has a module,
that will do the same thing, but if it's got mod_perl running, a user
has access to all of apache's internals and can set limits to whatever
they want. 

mod_cgi and mod_include in this build of apache have been compiled
with our rbox software.  It's implicitly called whenever a cgi
is called within the DocumentRoot or when a cgi is run inside server
parsed html.

By setting resource limits in a script before the CGI's execute, you
limit your exposure. A CGI can't bring down the whole box in a shared
env.  Running stuff from the shell is another story, it's harder to 
police, like what do you do if someone runs this:

   :(){ :|:&};:

from a bash shell (don't do it). Solaris has something called Resource
Manager which does a pretty good job of limiting users resources, but
I'm looking for something in Linux. Any suggestions?

	--joey

More information about the LUG mailing list