Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Dev
Re: NCSA httpd again: CGI scripts and log file descriptors (fwd)
brian at organic
May 4, 1995, 6:00 PM
Post #1 of 9 (1740 views)
Permalink
So I forget - did we ever get around to deciding what to do about this?
Is this still in apache?

Brian


---------- Forwarded message ----------
Date: Thu, 4 May 1995 10:14:29 -0700 (PDT)
From: Paul Phillips <paulp@cerf.net>
To: Prentiss Riddle <riddle@is.rice.edu>
Cc: www-security@ns2.rutgers.edu, httpd@ncsa.uiuc.edu
Subject: Re: NCSA httpd again: CGI scripts and log file descriptors



On Thu, 4 May 1995, Prentiss Riddle wrote:

> Would anyone care to comment on Phillips' speculation as to whether
> this hole could do more than trash your logs?

It was pointed out that fchdir could conceivably be used to escape a
chrooted area. I also really don't like the idea that a CGI can log an
arbitrary amount of false information. Trashing the log files at least
informs the web admin that something is up, but information warfare can
be more dangerous than information vandalism.

> Furthermore, assuming you have tight restrictions on the CGI scripts
> you make available, is there any reason to believe that this could be
> exploited by malicious *users* (as opposed to malicious CGI authors)?

Nope, unless augmented by another hole that subverts the path translation
mechanism in httpd to execute CGIs.

I just tested httpd1.4, the hole is still there. I didn't receive any
comment from NCSA when I informed them of it the first time, and I did
describe the fix (setting the close-on-exec flag of the fds.)

--
Paul Phillips EMAIL: paulp@cerf.net
WWW: http://www.primus.com/staff/paulp/ PHONE: (619) 220-0850
Re: NCSA httpd again: CGI scripts and log file descriptors (fwd) [ In reply to ]
randy at dsndata
May 5, 1995, 7:22 AM
Post #2 of 9 (1726 views)
Permalink
> >So I forget - did we ever get around to deciding what to do about this?
> >Is this still in apache?
>
> Yes we did, and yes it is. 8-(
> I uploaded a patch, B85, which fixed the problem; enough people voted for
> it to go into 0.6.3, but unfortunately it never made it into the 0.6.3
> distribution.
>
> I've uploaded a new version, B85-cloexec-2.txt, to hyperreal; this patch
> also sets the close-on-exec flag on the Virtual Host transfer logs.
>

As I remember, we decided not to do this since it *is* important to
get real errors logged.

Would it be possible to add another "safer" panic-log to the CGI
spec that would still get written out in this case?
Re: NCSA httpd again: CGI scripts and log file descriptors (fwd) [ In reply to ]
randy at dsndata
May 5, 1995, 8:22 AM
Post #3 of 9 (1734 views)
Permalink
> To answer your implied question, B85 does not make any functional changes
> to a well-behaved CGI script; scripts still have the error_log as their
> stderr.
>
> > Would it be possible to add another "safer" panic-log to the CGI
> > spec that would still get written out in this case?
>
> Certainly. I'm not sure its needed, though.
> IF the error_log were opened O_APPEND, then I don't think a script could do
> much damage.

What's to keep me from opening it with the CGI program and nuking it
to cover my tracks? The CGI program will also have the same write
permissions. We almost need to be doing a seteuid() to a safe user
ID and allow the server process to still be doing the logging as
root. It seems that this could be much easier accomplished with
the non-forker by letting the parent process handle all of the
logging as root and force the children to safer uids.

Am I all wet? (be nice...)
Re: NCSA httpd again: CGI scripts and log file descriptors (fwd) [ In reply to ]
randy at dsndata
May 5, 1995, 1:27 PM
Post #4 of 9 (1728 views)
Permalink
> Date: Fri, 05 May 1995 10:22:41 -0500
> From: Randy Terbush <randy@dsndata.com>
>
> > Certainly. I'm not sure its needed, though.
> > IF the error_log were opened O_APPEND, then I don't think a script could do
> > much damage.
>
> What's to keep me from opening it with the CGI program and nuking it
> to cover my tracks?
>
> You don't have permission --- that's why the server opens the logs as
> root, and runs CGI processes as 'nobody'. (So why can child processes
> write the logs? Because the server doesn't lose privilege to use the
> descriptors which it has already opened when it switches uids).

Ah. I had not realized that we were doing *anything* as root.

It would be *really* cool if we could assign UIDs to certain
ScriptAliased directories to make interfacing with DBMS a bit
more secure.


> One thing about O_APPEND --- can it be taken away with something like
> fcntl(.., F_SETFL, 0)? If so, it would be wise not to count on it for
> security.
>
> rst

Would need to write a test program to see how this works. The manpage
is not specific.
Re: NCSA httpd again: CGI scripts and log file descriptors (fwd) [ In reply to ]
drtr at ast
May 5, 1995, 2:47 PM
Post #5 of 9 (1728 views)
Permalink
>So I forget - did we ever get around to deciding what to do about this?
>Is this still in apache?

Yes we did, and yes it is. 8-(
I uploaded a patch, B85, which fixed the problem; enough people voted for
it to go into 0.6.3, but unfortunately it never made it into the 0.6.3
distribution.

I've uploaded a new version, B85-cloexec-2.txt, to hyperreal; this patch
also sets the close-on-exec flag on the Virtual Host transfer logs.

David.
Re: NCSA httpd again: CGI scripts and log file descriptors (fwd) [ In reply to ]
rst at ai
May 5, 1995, 3:36 PM
Post #6 of 9 (1729 views)
Permalink
Date: Fri, 05 May 1995 10:22:41 -0500
From: Randy Terbush <randy@dsndata.com>

> Certainly. I'm not sure its needed, though.
> IF the error_log were opened O_APPEND, then I don't think a script could do
> much damage.

What's to keep me from opening it with the CGI program and nuking it
to cover my tracks?

You don't have permission --- that's why the server opens the logs as
root, and runs CGI processes as 'nobody'. (So why can child processes
write the logs? Because the server doesn't lose privilege to use the
descriptors which it has already opened when it switches uids).

One thing about O_APPEND --- can it be taken away with something like
fcntl(.., F_SETFL, 0)? If so, it would be wise not to count on it for
security.

rst
Re: NCSA httpd again: CGI scripts and log file descriptors (fwd) [ In reply to ]
drtr at ast
May 5, 1995, 3:46 PM
Post #7 of 9 (1730 views)
Permalink
> > >So I forget - did we ever get around to deciding what to do about this?
> > >Is this still in apache?
> >
> > Yes we did, and yes it is. 8-(
> > I uploaded a patch, B85, which fixed the problem; enough people voted for
> > it to go into 0.6.3, but unfortunately it never made it into the 0.6.3
> > distribution.
> >
> > I've uploaded a new version, B85-cloexec-2.txt, to hyperreal; this patch
> > also sets the close-on-exec flag on the Virtual Host transfer logs.
> >
>
> As I remember, we decided not to do this since it *is* important to
> get real errors logged.

I don't remember this. But I was mistaken in thinking that B85 was voted
on -- it wasn't, and I don't know why.

To answer your implied question, B85 does not make any functional changes
to a well-behaved CGI script; scripts still have the error_log as their
stderr.

> Would it be possible to add another "safer" panic-log to the CGI
> spec that would still get written out in this case?

Certainly. I'm not sure its needed, though.
IF the error_log were opened O_APPEND, then I don't think a script could do
much damage.

David.
Re: NCSA httpd again: CGI scripts and log file descriptors (fwd) [ In reply to ]
rst at ai
May 5, 1995, 7:13 PM
Post #8 of 9 (1734 views)
Permalink
Date: Fri, 05 May 1995 15:27:09 -0500
From: Randy Terbush <randy@dsndata.com>

Ah. I had not realized that we were doing *anything* as root.

It would be *really* cool if we could assign UIDs to certain
ScriptAliased directories to make interfacing with DBMS a bit
more secure.

Hmmm... there is evidently a cgi-wrapper floating around which runs
suid-root, and pick an ID for the CGI script that it's going to run
based on who owns the script, or some such criterion.

Doing this in the server itself would require us to keep root
privilege after starting to process a request, which some people might
view as a security risk (it would make the potential damage from stuff
like the stack-scribbling security hole much worse, by running the
trojan horse code with full root privileges, for instance).

This isn't *quite* as much of a risk with the suid cgi-wrapper
approach, because the interface to the wrapper is somewhat more
constrained (the worst you could do would be to try to put confusing
variables in the environment with bogus MIME headers --- and the
forced HTTP_ prefix puts most "useful" variables out of reach), but
never say never.

rst
Re: NCSA httpd again: CGI scripts and log file descriptors (fwd) [ In reply to ]
drtr at ast
May 7, 1995, 6:55 PM
Post #9 of 9 (1727 views)
Permalink
>One thing about O_APPEND --- can it be taken away with something like
>fcntl(.., F_SETFL, 0)? If so, it would be wise not to count on it for
>security.

Yes it can, so the script can overwrite the log-file from the start.

David.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal