Re: cgiemail installs owned by root in /usr/lib/cgi-bin

• Previous message: Richard Kemp: "RCS (Revision Control System)"
• In reply to: Antonio Rodriguez: "Re: cgiemail installs owned by root in /usr/lib/cgi-bin"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Mon, 29 Nov 2004 23:50:29 +1100
To: Antonio Rodriguez <arodriguez31@cfl.rr.com>

Antonio Rodriguez wrote:
> I noticed that when installing cgiemail it is set as owned by root,
> same as other scripts simultaneously installed in /usr/lib/cgi-bin

> The danger of being root owned would be in the fact that it can
> virtually do anything.

no, it can't. If root owns an executable, and www-data runs it,
it can only do what www-data can do.

This is just the same as if you run /bin/cat, for example; although it's
owned by root, it runs with your permissions, not root's; when you run it,
it does not have permission to read or write any file like root does.

e.g:

  $ cat /etc/shadow
  cat: /etc/shadow: Permission denied

A special permission called "setuid" exists to make programs run as the
owner of the executable instead of the user who's running them, but it is
used as little as possible to prevent security holes due to bugs.

for example, if you run as root:

  chmod +s /bin/cat

then as non-root:

  cat /etc/shadow

you will be able to read the /etc/shadow (shadow password file) although
you don't normally have permission to!

*** don't forget to remove this permission again (as root)! :

  chmod -s /bin/cat

This setuid feature doesn't work for scripts (such as cgiemail), it only
works for compiled executables. Apparently there is more of a security
risk if scripts can be setuid, although I'm not quite sure why; so it's
not permitted by the kernel at all.

This is probably a lot more than you ever wanted to know about
unix permissions :)

Sam

-- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

• Previous message: Richard Kemp: "RCS (Revision Control System)"
• In reply to: Antonio Rodriguez: "Re: cgiemail installs owned by root in /usr/lib/cgi-bin"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: [RFC] FUSE permission modell (Was: fuse review bits) ... >> root is denied all access. ... and the kernel checks the permission. ... The userspace can't enforce the permissions. ... (Linux-Kernel) Re: Problem setting up NFS on Ubuntu ... I have installed Ubuntu ... > I used System - Administration - Synaptic Package Manager to include NFS ... Should I be using the GUI, and if so, how do I do that as root, ... and doesn't change the permissions displayed by ls -l ... (comp.os.linux.setup) Re: MISSING PAGEFILE.SYS FILE ... Agree that there's a permissions problem. ... c:\ root and killed all permission groups except Everyone Group and System. ... "George Hester" wrote: ... the Everyone group includes the System account. ... (microsoft.public.windowsxp.general) Re: MISSING PAGEFILE.SYS FILE ... "George Hester" wrote: ... Not a folder on C drive called root. ... There is no need to have a seperate permissions set for the System account ... Am beginning to wonder if I have a partial SP-2 installation problem. ... (microsoft.public.windowsxp.general) Re: Copying files over the Network ... As such, when using RCP or RSH as root, ... Make sure that the permissions on the $HOME/.rhosts ... When I attempt Simon's tar command or Mark Ray's rcp ... (AIX-L)