this is how we have it, possibly you know all this already, but I am very interested in having this area (MC security running behind Apache on a Unix-MacOSX box) thoroughly elucidated as we also know virtually nothing about Unix security issues. so here goes with what I know to date:
put the engine itself in cgi-bin
## just like any PERL script
## that's protected from bad guys as far as i know
CHMOD 755 the engine itself
Put your scripts in the CGI directory along side the engine
CHMOD them also 755.
Path to engine in 1st line of the script is standard.. .Just look at any access logs for your site to see what the full machine path is to your directory on that machine to any file
e.g.
#! /export/users/g/gregory/public_html/cgi-bin/mc
## is a typical path on a virtual domain...
## where /public_html/cgi-bin/mc is the flavor for the running OS
on StartUp
read from stnIn
##make sure any path ref in your script "climbs out" of the CGI bin
## ../someDirectory/some.file
etc.
to block other domains you need to create an "authorized domain' routine similar to the one in formMail.pl where
a) you parse the header from the submisson from the submitting domain,
b) check that against a list of authorized domains usually this is the one on which the script itself resides, or several on the same server under your control to prevent hackers from making POSTs from other domains/servers.
==========
I asked these same questions two years ago, was told that the "wrapper" thing pertained to using MC as a server handling the http requests... not to the context where MC is used as a CGI interpreter where Apache is the actual server. That said, then no more damage to the server can be done by an MC script than one could do with an a bad Perl script.
We "quietly" installed MC remotely in the cgi-bin with a nod from their server admin who we have hosted with since before the web began in 93.... on trust that we would not do anything stupid just like they assume anyone using PERL is not going to install scripts that would do something radical to their server.
e.g. I see lots of attempts from outside domains to hit on our formMail.pl (perl) script, You see this in the error logs where POSTs are coming down from outside domains to "formmail.cgi" "FormMail.pl" formMail.cgi, formMail.pl" where some guy is obviously testing to see if he can use my CGI,,, if he could only get the name right... and occasionally they do, but their submission is rejected. by the script itself... not by any "wrapper' as such.
In this case this is a well-known Perl script in the public domain (formMail.pl) which previously had a big hole in it (go to Matt's Archives and see his comments at the top of the latest version of formMail.pl)
I am not an expert, but it would seem to me that any script in any language could be secure or dangerous if it did not do the obviously security thing of examining the globals or some initial bit of data from stdIn and if it is not what's expected, nothing happens.
but, perhaps there are other holes or other kinds of CGI scenarios (we are just talking about POST here.) that could be dangerous?
Sannyasin Sivakatirswami Himalayan Academy Publications at Kauai's Hindu Monastery [EMAIL PROTECTED]
www.HimalayanAcademy.com, www.HinduismToday.com www.Gurudeva.org www.Hindu.org On Sunday, December 8, 2002, at 09:39 AM, jbv wrote:
Although your comments raise a few important questions that I'll have to discuss with the UNIX guy : - what is the best directory to drop the mc engine so that no bad guy finds it ? - and what can happen if any bad guy finds it ? - is there anything specific that can be done (by a bad guy) with MC as a simple cgi engine that can't be done with a php or perl engine ? - does it have to do with the presence of a "wrapper" (I've seen that word at times in articles / discussions about cgi engines) ? - are there any safety measures to take to prevent that ? And as for permissions : I know that the right permissions have to be set to mc-cgi scripts and text files used by those scripts, but have the feeling that there must be some specific other permissions to set in the Apache configuration to allow mc-cgi scripts to be triggered by external requests... If yes, can those permissions be set for one domain name only ? More on this issues, please...
_______________________________________________ metacard mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/metacard
