RE: Running PERL as root
Also, the fact that this system is a protected system means that there IS something worth protecting... stealing. Further reason not to run any cgi as root. Bill Pierson <[EMAIL PROTECTED]> wrote: > Thanks for your replies. Actually, I'd like to be able to modify system > config files, stop and restart daemons, etc. > > I'm not aware of the different ways to accomplish this; any tips would be > appreciated. > > The server is in a "protected" environment. > > > --Bill > > > -Original Message- > From: Farouk Khawaja [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 27, 2001 10:44 PM > To: Bill Pierson; [EMAIL PROTECTED] > Subject: Re: Running PERL as root > > Bill Pierson <[EMAIL PROTECTED]> wrote: > > I have a quick question about running a perl > program as root via CGI. > > I would assume it's platform dependant, and in my > situation I have Linux > > Redhat 7.1 w/Apache 1.3.19 webserver. > > > > This question is a little off-topic, however I'm > guessing that a few of you > > may have tackled this issue before. > > > > Thanks again, > > --Bill > > I wouldn't run any CGI script as root, no matter how > securly I belive I've written it. What are you > trying to do that would require root permission to > accomplish? > > Maybe you can explore alternatives. > > > > >
RE: Running PERL as root
Here's a suggestion. When you receive data from a form, the cgi that parses this data should run as an ordinary user. The process will act as a buffer, cleaning data, looking for invalid values, and other oddities. Then when all concerns are satisfied, the data is written to disk to be picked up by another process that IS running as root. ... and if you're really paranoid, you can have the second root-privilaged process check over the data again, just in case it was changed after being written to disk. No method is totally secure, but at least this way insulates you from direct attacks against your code. I welcome comments from all on this method. Bill Pierson <[EMAIL PROTECTED]> wrote: > Thanks for your replies. Actually, I'd like to be able to modify system > config files, stop and restart daemons, etc. > > I'm not aware of the different ways to accomplish this; any tips would be > appreciated. > > The server is in a "protected" environment. > > > --Bill > > > -Original Message- > From: Farouk Khawaja [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 27, 2001 10:44 PM > To: Bill Pierson; [EMAIL PROTECTED] > Subject: Re: Running PERL as root > > Bill Pierson <[EMAIL PROTECTED]> wrote: > > I have a quick question about running a perl > program as root via CGI. > > I would assume it's platform dependant, and in my > situation I have Linux > > Redhat 7.1 w/Apache 1.3.19 webserver. > > > > This question is a little off-topic, however I'm > guessing that a few of you > > may have tackled this issue before. > > > > Thanks again, > > --Bill > > I wouldn't run any CGI script as root, no matter how > securly I belive I've written it. What are you > trying to do that would require root permission to > accomplish? > > Maybe you can explore alternatives. > > > > >
RE: Running PERL as root
On Wed, 27 Jun 2001, Bill Pierson wrote: > Thanks for your replies. Actually, I'd like to be able to modify system > config files, stop and restart daemons, etc. > > I'm not aware of the different ways to accomplish this; any tips would be > appreciated. > > The server is in a "protected" environment. Then you need to protect the access to the server and its web pages, and use some strong authentication (basic authentication may not be enough) & encryption (SSL) to provide access to this kind of thing. Hwo protected is the "protected" environment? -- Brett http://www.chapelperilous.net/btfwk/ Never promise more than you can perform. -- Publilius Syrus
Re: Running PERL as root
Cobalt RaQ runs apache as root so that their front-end can run with root perms. You could use cgiwrap for the same effect, i suppose. there is also webmin, which runs with root priveleges. but webmin has its own httpd server coded in perl (thereby reducing the chances of buffer overflows and such) as webmin comes with a BSD style licence, you could cannibalize it for your needs there was a thread on bugtraq about the merits of running apache as root. as apache has a pretty good safety record, you should be able to run apache as root pretty safely. however if you are a little more paranoid, try cgiwrap. BEWARE: the idea of running a CGI script to administrate a server is pretty idiotic, in my opinion. i am trying to code a web based front end for virtual/ip hosting web servers like cobalt's, so i understand the necessity in certain cases. however, it is frightening and goes against all accepted security norms. kk On Wed, Jun 27, 2001 at 11:12:34PM -0400, Bill Pierson wrote: > Thanks for your replies. Actually, I'd like to be able to modify system > config files, stop and restart daemons, etc. > > I'm not aware of the different ways to accomplish this; any tips would be > appreciated. > > The server is in a "protected" environment. > > > --Bill > > > -Original Message- > From: Farouk Khawaja [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 27, 2001 10:44 PM > To: Bill Pierson; [EMAIL PROTECTED] > Subject: Re: Running PERL as root > > Bill Pierson <[EMAIL PROTECTED]> wrote: > > I have a quick question about running a perl > program as root via CGI. > > I would assume it's platform dependant, and in my > situation I have Linux > > Redhat 7.1 w/Apache 1.3.19 webserver. > > > > This question is a little off-topic, however I'm > guessing that a few of you > > may have tackled this issue before. > > > > Thanks again, > > --Bill > > I wouldn't run any CGI script as root, no matter how > securly I belive I've written it. What are you > trying to do that would require root permission to > accomplish? > > Maybe you can explore alternatives. > >
Re: Running PERL as root
On Wed, Jun 27, 2001 at 11:12:34PM -0400, Bill Pierson wrote: > Thanks for your replies. Actually, I'd like to be able to modify system > config files, stop and restart daemons, etc. > > I'm not aware of the different ways to accomplish this; any tips would be > appreciated. > > The server is in a "protected" environment. If by "protected" you mean everyone who can ever possibly access this machine has password-less root access, then go for it. If not, then you probably shouldn't be providing such things through a web interface. If you insist on it, my best suggestions are: * write small, easily audited setuid programs to do very specific tasks * write small, easily audited CGI scripts, that verify every single parameter in the strictest possible way, to execute the aforementioned setuid program * give the web server a user id used by nothing else * make the setuid programs executable only by the web server user * password protect the site using the basid or md5 auth scheme (no cookies, no nifty HTML authentication and session doohickies) * put the site behind strong SSL encryption, with no way to access it otherwise * use a dedicated web server process for this * firewall packets to and from that port to only the IP addresses of authorized individuals * setup your web server configuration to allow only connections to the aforemention authorized IP addresses * reduce the number of modules, plugins, or whatever your web server uses to the absolute bare minimum to handle these administrative functions Even after doing the above, you are opening a hole in your security. If any of the above measures isn't taken, or some small part is overlooked, you are opening yourself up to a security breach. Even if you do all of the above correctly either you or I, or both of us, missed something, and you are opening yourself up to a security breach. Be paranoid, security is never 100%. If at all, avoid doing this altogether. Michael -- Administrator www.shoebox.net Programmer, System Administrator www.gallanttech.com --
RE: Running PERL as root
Thanks for your replies. Actually, I'd like to be able to modify system config files, stop and restart daemons, etc. I'm not aware of the different ways to accomplish this; any tips would be appreciated. The server is in a "protected" environment. --Bill -Original Message- From: Farouk Khawaja [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 27, 2001 10:44 PM To: Bill Pierson; [EMAIL PROTECTED] Subject: Re: Running PERL as root Bill Pierson <[EMAIL PROTECTED]> wrote: > I have a quick question about running a perl program as root via CGI. > I would assume it's platform dependant, and in my situation I have Linux > Redhat 7.1 w/Apache 1.3.19 webserver. > > This question is a little off-topic, however I'm guessing that a few of you > may have tackled this issue before. > > Thanks again, > --Bill I wouldn't run any CGI script as root, no matter how securly I belive I've written it. What are you trying to do that would require root permission to accomplish? Maybe you can explore alternatives.
Re: Running PERL as root
Bill Pierson <[EMAIL PROTECTED]> wrote: > I have a quick question about running a perl program as root via CGI. > I would assume it's platform dependant, and in my situation I have Linux > Redhat 7.1 w/Apache 1.3.19 webserver. > > This question is a little off-topic, however I'm guessing that a few of you > may have tackled this issue before. > > Thanks again, > --Bill I wouldn't run any CGI script as root, no matter how securly I belive I've written it. What are you trying to do that would require root permission to accomplish? Maybe you can explore alternatives.
Re: Running PERL as root
On Wed, 27 Jun 2001, Bill Pierson wrote: > I have a quick question about running a perl program as root via CGI. > I would assume it's platform dependant, and in my situation I have Linux > Redhat 7.1 w/Apache 1.3.19 webserver. Why are you running the script as root? That's very dangerous. Are you running it as a suid script? -- Brett http://www.chapelperilous.net/btfwk/ "A mind is a terrible thing to have leaking out your ears." -- The League of Sadistic Telepaths
Running PERL as root
I have a quick question about running a perl program as root via CGI. I would assume it's platform dependant, and in my situation I have Linux Redhat 7.1 w/Apache 1.3.19 webserver. This question is a little off-topic, however I'm guessing that a few of you may have tackled this issue before. Thanks again, --Bill