In a message dated: Tue, 09 Oct 2001 15:34:20 EDT "Mark Aisenberg" said:
>Generally speaking, opening a powerful (root) program >to the internet via CGI is dangerous. I understand that. However, this is not meant to be done via the internet at large, rather it's a syadmin tool meant to be used locally in a (relatively speaking) secure environment. The web server in question should never be connected to or reachable from the internet in any way, shape, or form. >For info on CGI security, see: >http://www.panix.com/~comdog/CGI_MetaFAQ.html >http://www.w3.org/Security/Faq/wwwsf4.html >and other sources you can find with Google. Ah, good, thanks for the references! >If you're not an experienced CGI programmer, you might >reconsider what you are doing and instead use remote >control software to continue to run your command line >program, but remotely. I wouldn't consider myself an expert CGI programmer. I've written a few CGI based widgets, but nothing which ever required any amount of security. I personally have no problem running the command line program. As for remote control software, all I need is ssh :) The reason for the CGI wrapper is so others who don't want to have to remember all the various options (and there are a lot) the command line tool can use don't have to. Instead, they can use a form-based input which runs the command with the appropriate command line options. >* web server breaches (IIS or Apache, e.g.) >* tainted user input >* people pretending to be authorized users >* info leakage from valid use to the outside world, where > it is picked up and used by bad guys In theory, (and I understand this all hinges on the assumption that the code I write is used as I intend it to be :) this CGI will never, ever be accessible to or from the internet. The server is intended to be internal to a LAN, and accessed only by a small group of Unix sysadmins. So, again, in theory, any maliciousness would have to come from the inside. So, in that way, I'm hoping to mitigate the amount of damage that can be done. >I've been writing CGI programs for 3 or 4 years now, and >typically the amount of code required for security and user >interface exceeds that of the core program function. I've >written custom modules for my own use to handle things >like session management (using whatever combination of >partial ip address, cookie data, and session ids I stick >in URLs and propagate from page to page), so I know >that the person using a form is the person who just logged in. >You have to plan to spend a few weeks learning and >implementing security code before you should feel reasonably >safe. I'm willing to do that, since this code is completely my own, and eventually will be GPL'ed (once I'm confident enough that it's worthy of release into the wild :) So, time isn't really an issue, and I'm quite interested in learning more about secure programming methodes. >Again, remote control software? AT&T has a free one >at http://www.uk.research.att.com/vnc/start.html No, I don't really think VNC would solve the problem. SSH is already available, everyone has a Linux box and knows how to use SSH, they're just lazy and don't want to remember a bunch of command line options :) >If you're still interested, maybe we could discuss it at a >technical meeting of some sort (I've been planning to start >attending for a couple of years now...) That would be great! The last meeting I attended was before the group was officially the Boston Perl Mongers, Mike Stok still lived in the area, and a bunch of us got together at the Commonwealth Brewery (I think it's now Boston Beer and Fish?) for drinks. The only other person I remember being there was Lincoln Stein. So yeah, I'd be up for attending a meeting :) -- Seeya, Paul ---- God Bless America! ...we don't need to be perfect to be the best around, and we never stop trying to be better. Tom Clancy, The Bear and The Dragon
