Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Re: Security, root and CGI?

by MidLifeXis (Prior)
on Jan 28, 2009 at 23:20 UTC ( #739725=note: print w/ replies, xml ) Need Help??


in reply to Security, root and CGI?

At some point, your runs-as-root part needs to trust the job being submitted to it. What level of security is needed to get this trust high enough? What do you, as the SA, require the user to prove to you before you act on their request? Now, what is needed to have a program do the same thing?

Be careful about file system permissions. Perhaps run the CGI submitter under a suexec setup to allow only that CGI to touch whatever mechanism is used to pass information to run-as-root. Think "minimum privilege necessary".

--MidLifeXis


Comment on Re: Security, root and CGI?
Re^2: Security, root and CGI?
by pileofrogs (Priest) on Jan 28, 2009 at 23:28 UTC

    I'm planning on using an suexec like thing (CGIWrap). I don't know of any mechanisms that could be limited by the UID of the CGI process. Maybe a socket? Are there others?

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://739725]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (17)
As of 2014-07-24 15:28 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (161 votes), past polls