On Mon, 2002-02-04 at 20:10, Nathan Neulinger wrote: > About the only way I can think of getting around this problem would be > to have some sort of web-server -> cgi-wrapper token passing taking > place with a shared secret compiled into the wrapper executable, > combined with non-readable wrapper executables and web server config. > (And I haven't thought about it enough to be sure that wouldn't be > exploitable. With some of the ptrace stuff, I'd bet it probably could be > exploited pretty quick.) To my knowledge, none of the wrappers are > currently doing anything like this. CGIwrap most certainly isn't.
The solution that the frontpage extensions employed way-back-when for FP98 (I'll admit that I haven't looked at this in a while) was rather novel at the time. Apache would generate a random key at startup (yes, I'm fairly confident that there's room for an attack here) and save it to disk, owned and readable only by root. When the frontpage shim (much like suexec or cgiwrap) would start, Apache would pass that key to the shim, which it would verify against the on-disk version, before changing uid/gid into the target user. Let me see if I can find the source for that shim...ah, here it is: http://www.rtr.com/fpsupport/SERK/a_fpexe.htm The key is created when mod_fp initializes. Here's the source for the curious: http://www.rtr.com/fpsupport/SERK/a_modfp.htm -- Edward S. Marshall <[EMAIL PROTECTED]> http://esm.logic.net/ ------------------------------------------------------------------------------- [ Felix qui potuit rerum cognoscere causas. ]