[lug] cgi shell

John E. Koontz koontz at boulder.nist.gov
Tue Feb 4 11:50:11 MST 2003


At 04:10 PM 2/3/2003 -0700, you wrote:
> >> so i downloaded it and tried it...pretty scary, it allowed me
> > to get to / and go where ever I wanted. Is there a way to
> > allow users to have a cgi-bin but stop this sort of behavior?
>
>Chroot the webserver?

I don't know about this cgi shell mentioned, but the usual approach to 
security with cgi scripts is to employ something like cgiwrap 
(http://cgiwrap.unixtools.org/).   This enables cgi scripts to execute as 
particular users - either in special restricted accounts or as the user who 
wrote them.   Also, web servers should run in a special username with 
restricted privileges.   A certain amount of care is required in writing a 
CGI script in any event.   Generally one uses a scripting language like 
Perl or Tcl or one of a dozen or so special systems for server side 
scripting.  CGI is not especially suited to high volume applications, 
because it normally involves heavy weight processes, though there are some 
workarounds for that.

I believe there are some other tools similar to cgiwrap.
John E. Koontz
NIST 896.04 PCSG
303-497-5180

N39° 59' 42.1" W 105° 15' 49.7"




More information about the LUG mailing list