|
|
By Steve VanDevender (stevev@darkwing.uoregon.edu)
Last April, systems managers enabled the suexec feature on the Apache web server on Darkwing to control execution of CGI programs. If your Darkwing web pages don't use CGI, or use CGI in simple ways, this upgrade won't affect you. But if you have installed, or are planning to install, CGI programs in your web pages, read on.
In traditional installations, CGI programs executed by the web server run as the unprivileged user "nobody" to safeguard account security. However, many web designers want to have their CGI programs record information for "guest books" or page counters, and in order to accomplish this, they have to make them writable by everyone else on the system.
Unfortunately, such world-writable files can be tampered with by anyone else on the system. Some programmers try to avoid vulnerability by making their CGI programs "setuid,"i.e., they add special permission bits so that the CGI runs as the user who owns it rather than "nobody." This tactic isn't foolproof, however, because in some cases setuid CGI programs can be used to gain unwanted access to people's accounts.
A better solution is the Apache suexec mechanism, which allows a web server to run CGI programs directly by the user who owns them. Suexec also includes a number of security checks to avoid executing unsafe CGI programs. With Apache suexec, it's no longer necessary to create world-writable files in order to allow your CGI programs to save data; if you can write to a file, then so can your CGI programs.
Setuid programs denied execution. As part of its security checks, suexec will not execute any setuid programs, even ones that are setuid to you. However, it is still possible that poorly-written CGI programs in your account could be used to gain unwanted access, so you should continue to be careful when installing CGI programs written by others or when writing your own.
To reduce the chance that this change would break existing CGI programs, during the upgrade process:
Suppose you have an account "vhost" on Darkwing that contains the web pages for the virtual host name "virtualhost.uoregon.edu." You can refer to your virtual host web pages in two ways:
"http://virtualhost.uoregon.edu/"
or
"http://darkwing.uoregon.edu/~vhost/"
If you refer to a CGI program with a URL beginning with "http://virtualhost.uoregon.edu/," your program will automatically be executed as the "nobody" user, as before.
If you refer to a CGI program with a URL beginning with "http://darkwing.uoregon.edu/~vhost/," it will be executed as your "vhost" account user. This is the form you must use if you want the CGI in your virtual host to take advantage of Apache suexec.
If you find CGI programs are failing in a way that they did not before the upgrade, you can look in the file /var/www/logs/suexec_log for possible troubleshooting hints. The command
grep USERNAME /var/www/logs/suexec.log
(where USERNAME is your own Darkwing login name) will report information about CGI programs accessed in your account.
If your CGI generates errors after it's started by suexec, those errors will be recorded in the normal Apache error log file /var/www/logs/error_log
For a more detailed explanation of Apache suexec, see http://www.apache.org/docs/suexec.html