Webmin-alike cgi script and security
Dave Swegen
dswegen at software.plasmon.com
Mon Jul 29 04:29:05 EDT 2002
On Sat, Jul 27, 2002 at 10:11:10PM +0200, Andreas Kostyrka wrote:
> Am Mon, 2002-07-22 um 16.13 schrieb Dave Swegen:
> > On Mon, Jul 22, 2002 at 06:08:26PM +0400, Denis S. Otkidach wrote:
> > > Adding webserver default user to sudoers is a bad thing anyway.
> > > It's better to use suexec with unique user, that will be used for
> > > this script only.
> >
> > Thanks, this is exactly the sort of info I'm looking for.
> Also, depending if "local-attackers" are a likely scenario, you might
> think about using marshal:
> + does not execute code upon load
> - loads code objects
> - supports only basic data structures. Experience shows that for this
> kind a marshaled dictionary is usually ok.
All I'll be passing around is quite simple data, so marshal should be
sufficient.
>
> You should consider also if the filebased approach is best.
> For example AF_UNIX sockets support authentication.
> You could also pipe the data into the sudo process, and read the answer
> back from it.
The piped approach might actually be better, as it would leave the
implementation language of the actual worker scripts open (not everyone
here at work likes python - it's the indentation thing *sigh* ;)
>
> Should you go with the file based approach, you should check:
> -) that the file is only writeable and readable by the "webuser".
> (or somebody else might be tricking us into doing the wrong thing.)
> -) that the file is in a directory only writeable by the "webuser".
> (again, somebody might fool as with a symlink)
>
> Basically be as paranoid as you can be.
Thanks all the advice. Not having done this before I certainly helps
having pointers to what I should be aware of.
Cheers
Dave
More information about the Python-list
mailing list