W2H: Security considerations
Setting a user ID
To be able to give an access to the users own home directories, and to let them
start their own programs under their accounts, it's necessary to change the real user ID of
the current CGI program. The CGI process is owned by
nobody and must be changed
to the real user whose name is provided by http server in an environment variable
REMOTE_USER (the server knows this name from the authentication procedure).
The changing of the real user ID is done by a special W2H program setuser.
This program must be run with setuid set to root, and in this moment it
becomes dangerous in the evil hands. Do not let this program wandering
just around. Therefore, consider the following notes:
-
This programs requires some arguments on the command line, and refuse
to work without them. From this point of view it seems to be safe
when invoking as a CGI script. But unfortunately it is not the case,
because also CGI scripts get the command line arguments when invoked
from ISINDEX document.
- Summary
- You either trust your CGI writers, or you cannot have this
program anywhere on your system.
-
You should also restrict access to this program to normal users coming
not through httpd. But this seems to be simple: just change mode of this program
to be executable only by nobody. Oops... that can't work because
the program must be owned by root to be able to provide setuid functionality.
So you must do it more tricky:
- Create a directory, which is accessible only by nobody.
- Put there setuser program owned by root and executable only by nobody.
-
But in any case do not let the setuser program in the http
visible space!.
Access to user's documents
There are two antagonistic goals:
- to guarantee an access to all files depending only on their UNIX access rights
- to do it by means of the http server which normally recognizes only files in its own
visible space, and then provides those files to anybody who asks
The W2H/GCG interface solves the problem in the following way:
- Nearly all necessary temporary files are created in the user's home directory in a
special subdirectory .w2h-www. That implies the protection as big as the user
decided to have (because he/she defined the access rights to his/her home directory).
All these files are small and will not eat too much space which can be critical on the
disk partition with the /home subdirectory.
- The output data files are created in the current working directory. This is chosen
by the user and can be anywhere, mostly outside of the http visible space,
therefore without danger to be viewed by foreign eyes. The working directory can be
dynamically changed during the GCG session, so the user has full control where to put the
big files etc.
- When a user wants to see a file (remember that the file can be, and mostly is outside
of http visible space), a special CGI non-parse-header script is involved to
substitute for a moment the http server. This script also uses the server configuration
files and mime types database to create a proper content type for a viewed file.
Other security issues
Of course, there are other security aspects connected with any WWW application, including:
- Secure data transfer via network
- Secure password transmission via network
- Using a scripting language embedded in HTML documents
These items are general and are neither specifically introduced, nor solved by W2H interface.
More discussion about those topics can be found at World Wide Web Security pages at
http://www-ns.rutgers.edu/www-security/.