Hi, Thanks for articulating the risk. We will address it later. The machines involved are experimental prototypes not production machines.
Clement On Fri, 7 Jul 2006, Javier [iso-8859-1] Fern嫕dez-Sanguino Pe鎙 wrote: > On Fri, Jul 07, 2006 at 04:42:47PM -0400, LEE, Yui-wah (Clement) wrote: > > Hi, > > > > This is an experimental package that we built and > > evaluate internally (up to this moment). The program > > that needs setuid is a cgi-bin program that is invoked > > by apache2, which runs as a regular user www-data. The > > cgi-bin program however needs to interact with > > iptables. > > You are setting up an iptables interface through a setuid *root* cgi-bin? > If so: ! > > > I know setuid programs are risky but I haven't got the > > time to address the security risk yet (one thing at a > > time ... :-) > > I can do the security risk analysis for you: granting remote root through a > web > server application is a recipe for disaster, those tactics where (or should > have been) abandoned ages ago. > > Either you make really damn sure that the cgi-bin is not exploitable through > fascist input data validation and a tight SELinux policy or you remove the > setuid bit and try to make the functionality you need through other > mechanisms. > > For example: a cgi-bin that locally communicates with a separate daemon and > asks it to "pretty please" setup an iptable rule, if you do this the separate > daemon can be very strict in which it permits and can do additional data > validation, additionaly, a failure in the cgi-bin (i.e. a buffer overflow or > similar programming mistake) does not equal to a remote root compromise (at > most a remote www-data although that's bad enough already). > > Just my 2c. > > Javier > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
