On Mon, 2002-02-04 at 20:10, Nathan Neulinger wrote:
> About the only way I can think of getting around this problem would be
> to have some sort of web-server -> cgi-wrapper token passing taking
> place with a shared secret compiled into the wrapper executable,
> combined with non-readable wrapper executables and web server config.
> (And I haven't thought about it enough to be sure that wouldn't be
> exploitable. With some of the ptrace stuff, I'd bet it probably could be
> exploited pretty quick.) To my knowledge, none of the wrappers are
> currently doing anything like this. CGIwrap most certainly isn't.
The solution that the frontpage extensions employed way-back-when for
FP98 (I'll admit that I haven't looked at this in a while) was rather
novel at the time.
Apache would generate a random key at startup (yes, I'm fairly confident
that there's room for an attack here) and save it to disk, owned and
readable only by root. When the frontpage shim (much like suexec or
cgiwrap) would start, Apache would pass that key to the shim, which it
would verify against the on-disk version, before changing uid/gid into
the target user.
Let me see if I can find the source for that shim...ah, here it is:
http://www.rtr.com/fpsupport/SERK/a_fpexe.htm
The key is created when mod_fp initializes. Here's the source for the
curious:
http://www.rtr.com/fpsupport/SERK/a_modfp.htm
--
Edward S. Marshall <[EMAIL PROTECTED]>
http://esm.logic.net/
-------------------------------------------------------------------------------
[ Felix qui potuit rerum cognoscere causas.
]
