[Tutor] Re: [SLL] CGI with python question

Pedro Diaz Jimenez pdiaz88@terra.es
Sat, 3 Mar 2001 14:03:45 +0100 

Hi,

Well, I got some awnsers but not from this list but from my Linux List. Here 
is the most interesting:

On Thursday 01 March 2001 19:20, Ben Johnson wrote:
> I don't know python, but I'm interested in your security problem.  I
> don't like cgi programs running as root at all so in my opinion your
> scheme sounds ok except that httpd is creating root owned processes.
>
> here is an idea.
>
> have one program that executes as root, reads the login info, and then
> forks into the background and becomes owned by nobody.  it then could
> act as a server for the needed info.  it should probably open a unix
> domain socket so that tcp connections can't get to it (directly anyway).
>
> now you have the problem of authenticating connecting processes so that
> no just anyone can connect and read the info.  one lame way to do this
> would be to check the owner of whatever process is connecting to see
> it's nobody.  that could be ok unless you have other people on your
> machine who are allowed to run cgi scripts.  another way would be with a
> shared secret... one that the daemon and the cgi scripts know.  if you
> did that though you might was well just put real needed info into your
> cgi scripts directly (which is typical actually... this is the way I do
> it).   another method would be one that uses public key cryptography.
> There seems like there are all sorts of reasonably secure ways to do it
> this way but none of them, that I can think of, are perfect.
>
> the easiest way to do this is to put your connect info in one file that
> is readable only by nobody and then make sure that there is no one on
> your machine that can run a program/script as nobody and get to it.
>
> sorry I'm not more helpful.  I guess I just had to listen to myself
> type.
>
> - Ben

Its a somewhat strange that no one on the python list awnsered my question, 
since python is used heavily in web sites as a cgi script language.

Cheers

Pedro




On Saturday 03 March 2001 02:13, amoe@IDCertify.com wrote:
> Hi Pedro,
>
> Did you ever get an answer on this?  I would be interested to hear it.
>
> Alan
>
> -----Original Message-----
>
> Hi folks,
>
> I'm doing some CGI python scripts. One of them needs to access a MySQL
> database on the localhost. i have experience dealing with MySQLdb so this
> is not a problem. Actually the problem is that I need to fetch the
> username-password-host-db tuple from a file in /etc. Of course, this
> file must be root-only readable, so nobody except the root can read
> this sensitive information. On the other hand, I don't want to have
> cgi's in my system with root priviledges (I dont know if this is even
> posible
> with apache).
>
> Considering this, I planned my cgi to do the following:
>   - The script is initially suid root
>   - Once is called, reads the /etc files
>   - Inmediatly after this, changes is euid to Nobody via os.setuid
>   - Do the rest of the job, including interacting with the MySQL server
>
> Does this schema looks ok in security terms?. If not, what other schema
> should I follow?
>
> I've also been playing with suid python scripts, but I wasn't able to make
> the perform root privileged actions. Example:
>
> test.py:
> -------
> #!/usr/bin/python
>
> import os
> print os.geteuid()
> os.setuid(0)
> print os.geteuid()
> f = open("/etc/shadow" )
> print "ALL OK"
> --------
>
> # chmod +x test.py
> # ls -la test.py
> -rwxr-xr-x    1 root     root          120 Mar  1 18:07 test.py
> # ./test.py
> 0
> 0
> ALL OK
> # chmod u+s test.py
> # ls -la test.py
> -rwsr-xr-x    1 root     root          120 Mar  1 18:07 test.py
> # su pdiaz
> $ ./test.py
> 1000
> Traceback (innermost last):
>   File "./test.py", line 5, in ?
>     os.setuid(0)
> OSError: [Errno 1] Operation not permitted
> $
>
> What I'm doing wrong?
>
> Thanks
>
> Pedro
>
> ========================================================================
> Contributions/Posts To: linux-list@ssc.com
> To Unsubscribe: linux-list-request@ssc.com, "unsubscribe" in message body
> Report Problems to: owner-linux-list@ssc.com
> List archive at: http://www.ssc.com/mailing-lists/