Webmin-alike cgi script and security
Dave Swegen
dswegen at software.plasmon.com
Mon Jul 22 09:36:10 EDT 2002
I'm currently looking at writing a set of cgi scripts that will perform
similiar functionality to webmin (i.e. system configuration and running
various processes as root) for configuring an embedded system.
Now I know that this is a can of worms, but I would appreciate some
feedback on my current line of thinking:
The scripts themselves are run as the default webserver user, and take
care of stuff like authentication and basic sanity checking.
If all input checks out an external script is called using sudo to gain
root privs. Any data that should be provided is pickled and stored in a
file with a unique name, which is then the only argument to the sudo'ed
script. Depending on the return value any return data is picked up again
by the cgi script from a pickled data structure with the same name.
All web traffic goes over SSL (using self signed certs, which at least
encrypts traffic), possibly using the cookie scheme described at
http://www-106.ibm.com/developerworks/library/secure-cgi/
For this project I have the luxury of only targeting later browsers
which talk HTML 4.0 (i.e mozilla & co and later IEs).
So, given the task, is this a reasonable way of going about it, or are
there any screamingly obvious holes?
Cheers
Dave
More information about the Python-list
mailing list