- From: Jim Whitehead <ejw@cse.ucsc.edu>
- Date: Thu, 19 Jun 2003 12:06:49 -0700
- To: "WebDAV" <w3c-dist-auth@w3.org>
Accidentally caught by the spam filter.
- Jim
-----Original Message-----
From: Jon Rifkin [mailto:jon@bluet.ucc.uconn.edu]
Sent: Thursday, June 19, 2003 10:19 AM
To: w3c-dist-auth@w3.org
Subject: [Moderator Action] Problem: Apache + WebDav + CGI = Security
Hole
Apache + WebDav + CGI = Security Hole
THE PROBLEM
I'm trying to provide a webserver that allows users to maintain separate
websites and use WebDav to manage their content. After much development
it has occurred to me that I've created a *serious security hole*, for
while Apache/WebDav restricts users from each other's websites, CGI
scripts have no such restriction, that is ...
* Any user's CGI script can write into any another user's website.
For example, suppose you have two websites
webserver.org/alice
webserver.org/bob
where the websites 'alice' and 'bob' are managed by their respective
webmasters. Webdav prevents Alice from writing in Bob's directory and
vice versa. So far so good.
But, suppose Alice and Bob upload CGI scripts to their websites. These
scripts will be able to write *anywhere* in the webserver document tree,
that is Alice's CGI script will be able to write into Bob's website and
vice versa, because
(1) Both Alice's and Bob's scripts run as the apache user.
(2) The apache user town's the entire webserver document tree.
(3) Thus, the script will be able to write in any website in
the document tree.
THE SOLUTION
This is where I need help. Are there any easy and/or standard or even
feasible ways to do this?
I am currently investigating several ideas each with a unique set of
tradeoffs.
(1) Using a traditional Unix file system with separate users for
each website and SuExec to enforce permissions on cgi-scripts.
Will WebDav even run on such a configuration? I've never tried
it.
The down side for me is that Apache SuExec can only assign
User,Group CGI permission according to Unix home directories
(I had hoped to create website independent of the Unix user
mechanism) or by Virtual Host, which means all my web sites
must be Virtual Hosted and I must still assign Unix accounts.
(2) Two instances of Apache, one instance on port 8080 running WebDav
but *not* CGI for webmaster to upload content, the other instance on
port 80 running CGI but *not* WebDav for normal web clients. The
two instances would run as different Users,Groups so that CGI
scripts will run as users who can read but not write to the document
tree.
The down side here is that CGI scripts will not be able to use the
file system for storage. Any data stored from CGI scripts would
need to be written to a database such as MySQL.
(3) If I had 6 months to spend, maybe some combination of Apache module
and kernel module would allow Apache to limit CGI script file access
to specifically configured directories. This would require that the
kernel support a relatively granular ACL for process dependent file
access that can be manipulated by Apache.
Any suggestions would be most welcome.
- Jon Rifkin
============================================================================
==
# Jon Rifkin # 860-486-5530 # jon.rifkin@uconn.edu
# Information Technology Services # University of Connecticut
Received on Thursday, 19 June 2003 15:06:15 UTC