Access Denied.......problem #4

Ivan Kohler ivan at sisd.com
Tue Jul 21 02:28:06 PDT 1998 

Most all UNIX implementations have been historically vulnerable to a
symlink security problem parsing the bang line (#!/usr/bin/some/program) 
in setuid scripts.  I believe some still are.  If your operating system
falls in this category then no setuid scripts are safe and you should
avoid using setuid scripts of any sort and wrap the .cgi programs in
htdocs/ using a program such as `wrapsuid' from the Perl distribution.  

Some OS's disable setuid scripting, or have an option for doing so.  Perl
provides setuid emulation via taintperl on these operating systems.

Lastly, some operating systems provide secure setuid scripting.  If this
is the case, it is possible that Perl failed to detect this when it was
compiled.

You should avoid setuid _shell_ scripts (#!/bin/sh, #!/bin/bash, etc.),
which are difficult if not impossible to write securely, even if setuid
scripts in general are secure on your operating system. 

Business::CreditCard from CPAN should be in the documentation.
File::CounterFile, however, is missing.  Sorry about that.

On Tue, 21 Jul 1998, Myfanwy Hawley wrote:

> Hi,
> 
> Scene so far: setting up freeside with mysql, everything compiled and seemed
> ok. So we went to our Freeside web page to start doing stuff and came to a
> screeching halt.
> 
> well after getting over the .htaccess problem we are now getting when trying
> to put in a New customer:
> Forbidden
> You don't have permission to access /edit/cust_main.cgi on this server.
> (Similar error for all other cgi scripts)
> 
> Now firstly it seemed to be a cgi problem as we are running script aliases
> in Apache for this, so I put in the folloing lines in srm.conf:
> ScriptAlias /cgi-bin/ /usr/local/etc/httpd/cgi-bin/
> ScriptAlias /freeside-browse-cgi-bin/ /usr/local/etc/httpd/htdocs/browse/
> ScriptAlias /freeside-edit-cgi-bin/ /usr/local/etc/httpd/htdocs/edit/
> ScriptAlias /freeside-misc-cgi-bin/ /usr/local/etc/httpd/htdocs/misc/
> ScriptAlias /freeside-search-cgi-bin/ /usr/local/etc/httpd/htdocs/search/
> ScriptAlias /freeside-view-cgi-bin/ /usr/local/etc/httpd/htdocs/view/
> 
> But I was still getting the above error. So I tried running the .cgi from a
> command line and got "You haven't disabled setID scripts in kernel yet. Fix
> this or c wrap" (that's not quite what it said but its the gist).
> So...stumped again and not wanting to upset the kernel (if it aint broke
> don't touch it!!)....so I set about and created a chmod 755 cust_main.cgi
> then created a 4755 cust_main.sh and:
> #! /bin/sh
> /usr/local/etc/httpd/htdocs/edit/cust_main.cgi
> This got around the setID problem. Now this allowed me to run one of the
> other cgi scripts at command line, so I really wanted to test with cust_main
> and when I tried to then run it from the command line it runs but.....can't
> find Creditcard.pm. It tells me where it can't find the file but its
> there!!!!!!
> 
> So can any give light to
> A. What is causing the forbidden error
> B. Whay can't cust_main.cgi find CreditCard.pm
> C. Is there an easy fix for the SetID problem.
> 
> Myfanwy Hawley
> Internet Services Engineer
> 
> For Comswest Internet HelpDesk call 1800 647 716
> ----------------------------------------------------------------------
> Comswest Internet Services
> (Services formerly provided by AlphaWest)
> http://www.alphawest.net.au
> ----------------------------------------------------------------------
> 
> 
> 

-- 
Ivan Kohler <ivan at sisd.com> - finger for PGP key
Silicon Interactive Software Design - http://www.sisd.com/
Open-source billing and administration for ISPs - http://www.sisd.com/freeside
20 4,16 * * * saytime # consciousness is the missing symmetry

More information about the freeside-users mailing list