Marc Herbert wrote: > Sorry I did not know about this race condition. This is more or less > the type of problems I had in mind: > > http://hea-www.harvard.edu/~fine/Tech/cgi-safe.html
In addition to the fine recommendations from the others I wanted to specifically point out that the problems on that page are not from launching a setuid script and providing a priviledge escalation path. I just had time to skim it briefly but I didn't see setuid mentioned there at all. It is talking about other things. Instead they stem from a script running unverified user provided input. CGI scripts are not normally setuid but are running as the web server process owner and they usually allow connections from anonymous attackers on the hostile internet. By consuming and executing untrusted input they allow an attack against the web server process owner. It is a problem, and a big one, but completely different from having a local user attack against an setuid script and be able to gain the priviledge of the script owner. > The number of security recommendations on this page is impractical for > any programmer but an expert one. This is just too complicated. I see > this as yet another demonstration that shell scripting is very good > for interactive use and relatively small system administration tasks but > does not scale beyond that. Actually, I doubt any language could do > that. Safety and "scalability" are more often than not opposed to > convenience. Using user provided input as commands is a problem no matter what language you use. > (OK: maybe Perl is just as bad) Perl and Ruby and others do provide taintmode that tracks data flow through the program. That does help significantly. But it *is* still complicated. That is why there have been so many successful attacks in the past. There isn't any magic sauce to make all of the complication go away. Attackers are as clever as you. It is a classic battle between armorer and weapons maker. Bob There are two types of complicated programs. Those that were built up from smaller simpler ones and those that do not work.
