[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cd with multiple arguments?
|
From: |
Bob Proulx |
|
Subject: |
Re: cd with multiple arguments? |
|
Date: |
Fri, 17 Dec 2010 13:57:07 -0700 |
|
User-agent: |
Mutt/1.5.20 (2009-06-14) |
Marc Herbert wrote:
> Sorry I did not know about this race condition. This is more or less
> the type of problems I had in mind:
>
> http://hea-www.harvard.edu/~fine/Tech/cgi-safe.html
In addition to the fine recommendations from the others I wanted to
specifically point out that the problems on that page are not from
launching a setuid script and providing a priviledge escalation path.
I just had time to skim it briefly but I didn't see setuid mentioned
there at all. It is talking about other things.
Instead they stem from a script running unverified user provided
input. CGI scripts are not normally setuid but are running as the web
server process owner and they usually allow connections from anonymous
attackers on the hostile internet. By consuming and executing
untrusted input they allow an attack against the web server process
owner. It is a problem, and a big one, but completely different from
having a local user attack against an setuid script and be able to
gain the priviledge of the script owner.
> The number of security recommendations on this page is impractical for
> any programmer but an expert one. This is just too complicated. I see
> this as yet another demonstration that shell scripting is very good
> for interactive use and relatively small system administration tasks but
> does not scale beyond that. Actually, I doubt any language could do
> that. Safety and "scalability" are more often than not opposed to
> convenience.
Using user provided input as commands is a problem no matter what
language you use.
> (OK: maybe Perl is just as bad)
Perl and Ruby and others do provide taintmode that tracks data flow
through the program. That does help significantly. But it *is* still
complicated. That is why there have been so many successful attacks
in the past. There isn't any magic sauce to make all of the
complication go away. Attackers are as clever as you. It is a
classic battle between armorer and weapons maker.
Bob
There are two types of complicated programs. Those that were built up
from smaller simpler ones and those that do not work.
- Re: cd with multiple arguments?, (continued)
- Re: cd with multiple arguments?, Bob Proulx, 2010/12/15
- Re: cd with multiple arguments?, Marc Herbert, 2010/12/16
- Re: cd with multiple arguments?, Bob Proulx, 2010/12/16
- Re: cd with multiple arguments?, Marc Herbert, 2010/12/17
- Re: cd with multiple arguments?, Greg Wooledge, 2010/12/17
- Re: cd with multiple arguments?, Illia Bobyr, 2010/12/17
- Re: cd with multiple arguments?,
Bob Proulx <=
- Re: cd with multiple arguments?, Marc Herbert, 2010/12/20