no setuid for CGI scripts?
Robin Becker
robin at jessikat.fsnet.co.uk
Mon Nov 5 12:15:02 EST 2001
In article <om7dut81qb8ks0rgp29uoqi1jjuq3crg2i at 4ax.com>, Toby Dickenson
<tdickenson at devmail.geminidataloggers.co.uk> writes
>(posted and cc'ed to robin)
>
>Robin Becker <robin at jessikat.fsnet.co.uk> wrote:
>
>I dont think thats safe
>
>'system' uses many environment variables that could be used to change
>the behavior of this program to be something other that what you
>expected.
I certainly agree that this will break easily enough when run from the
command line. If the web server is already compromised there's little
point in worrying about what LD_LIBRARY_PATH etc it's supplying. I
suspect that getting python to run with a different LIBRARY_PATH would
not be as hard as getting the compromised shared libraries/binaries onto
the system in the first place.
--
Robin Becker
More information about the Python-list
mailing list