[lug] cgi shell
John E. Koontz
koontz at boulder.nist.gov
Tue Feb 4 11:50:11 MST 2003
At 04:10 PM 2/3/2003 -0700, you wrote:
> >> so i downloaded it and tried it...pretty scary, it allowed me
> > to get to / and go where ever I wanted. Is there a way to
> > allow users to have a cgi-bin but stop this sort of behavior?
>
>Chroot the webserver?
I don't know about this cgi shell mentioned, but the usual approach to
security with cgi scripts is to employ something like cgiwrap
(http://cgiwrap.unixtools.org/). This enables cgi scripts to execute as
particular users - either in special restricted accounts or as the user who
wrote them. Also, web servers should run in a special username with
restricted privileges. A certain amount of care is required in writing a
CGI script in any event. Generally one uses a scripting language like
Perl or Tcl or one of a dozen or so special systems for server side
scripting. CGI is not especially suited to high volume applications,
because it normally involves heavy weight processes, though there are some
workarounds for that.
I believe there are some other tools similar to cgiwrap.
John E. Koontz
NIST 896.04 PCSG
303-497-5180
N39° 59' 42.1" W 105° 15' 49.7"
More information about the LUG
mailing list