More CGI Comments

rst@ai.mit.edu (Robert S. Thau)
From: rst@ai.mit.edu (Robert S. Thau)
Date: Sat, 8 Jan 94 18:15:43 EST
Message-id: <9401082315.AA09021@volterra>
To: fielding@simplon.ics.uci.edu
Cc: rhb@hotsand.att.com, www-talk@www0.cern.ch
In-reply-to: "Roy T. Fielding"'s message of Sat, 08 Jan 1994 14:26:35 -0800 <9401081426.aa08569@paris.ics.uci.edu>
Subject: More CGI Comments 
Content-Length: 2240
   Date: Sat, 08 Jan 1994 14:26:35 -0800
   From: "Roy T. Fielding" <fielding@simplon.ics.uci.edu>

   Just prior to reading this I was looking at a local notice about login
   security.  Thus, my first thought was what would happen if some user
   created a script which deletes (recursively) all of the files in the
   invokers home directory.  Since the script would be executed under the
   server's user ID (I think), would the script then delete all of the
   server's subdirectories?

Depending on the local setup, it may or may not.  For instance, you could
have all the server's files owned by, say, 'webmaster', and run the server
itself under the uid 'nobody'.  The server's directories could then be
read-only to the server itself, and to any scripts which it happens to run.
However, this doesn't preclude other forms of mischief --- evasion of local
accounting rules, and so forth.

   I'm not sure what would happen (I'm damn sure I don't want to test it),
   but I think this question should be considered before allowing other
   users to add scripts at will.

It's a matter of local policy, really --- specifically, how much trust you
have in your users.  It's not an issue here, for instance, because people
here generally have write permission on the server's directories anyway.
If they want to destroy the server, nothing as messy as a trick script is
required.

Of course, we can afford to be that trusting because we don't have a large
population of potentially hostile users running directly on our machines.
People who aren't so blessed probably *shouldn't* allow users to add
scripts at will --- or should at least restrict the privilege to users who
aren't likely to abuse it.  Any server which provides such a facility
should likewise provide the adminstrator with the tools to control it, via
access config files or the like.

(Incidentally, I don't think that any server should default to the sort of
wide-open configuration that I have running here --- it makes it too easy
for naive sysadmins to get into trouble.  However, for those of us who can
use the option, it's very nice to have it).

   ....Roy Fielding   ICS Grad Student, University of California, Irvine  USA
		      (fielding@ics.uci.edu)

rst