[imp] security: boundaries for untrusted users

Rich Lafferty rich@horde.org
Wed, 11 Apr 2001 16:48:01 -0400


On Wed, Apr 11, 2001 at 02:07:47PM -0600, Ann Cantelow (cantelow@atlas.csd.net) wrote:
> 
>   " For completely fascist permissions, you can make the entire
>     PHPLIB/Horde/IMP trees inaccessible except by the web server:
> 
>         # chgrp -R nobody /home/httpd/horde-phplib
>         # chgrp -R nobody /home/httpd/html/horde
>         # chmod -R o-rwx /home/httpd/horde-phplib
>         # chmod -R o-rwx /home/httpd/html/horde "
> 
> Of course, this goes out the window if the untrusted users also have
> access to write cgi programs on the system, since cgi programs normally
> also run as the web user.  (Seems to me the SEC. doc should mention
> that.)

On systems with "normal" (ie autonomous) users, no, cgi programs
absolutely do *not* run as the webserver user. That would be a "poorly
configured system" even if IMP *wasn't* installed on it.

> Can I tell my boss about Imp on this machine, "can't get there from
> here"?  

That depends on far too many factors to be able to suggest a cookbook
approach. For what it's worth, we run IMP on a 17k-user (primarily
student-inhabited) general-purpose machine, and we isolated IMP from
the rest of the world by running a separate webserver on its own port
(although "on its own interface" would work just as well, starting the
database with chrootuid, and running the webserver in the same chroot.

For what it's worth, I find cgiwrap to be considerably easier to
manage than suexec.

  -Rich

-- 
------------------------------ Rich Lafferty ---------------------------
 Sysadmin/Programmer, Instructional and Information Technology Services
   Concordia University, Montreal, QC                 (514) 848-7625
------------------------- rich@alcor.concordia.ca ----------------------