From apwww@hyperreal.org Tue Sep 23 14:22:29 1997 Received: (from apwww@localhost) by hyperreal.org (8.8.5/8.8.5) id OAA28302; Tue, 23 Sep 1997 14:22:29 -0700 (PDT) Message-Id: <199709232122.OAA28302@hyperreal.org> Date: Tue, 23 Sep 1997 14:22:29 -0700 (PDT) From: "Eric I. Ekong" Reply-To: ekonge@ccaa.edu To: apbugs@hyperreal.org Subject: Cgi scripts been run as nobody instead of user. X-Send-Pr-Version: 3.2 >Number: 1161 >Category: config >Synopsis: Cgi scripts been run as nobody instead of user. >Confidential: no >Severity: critical >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Tue Sep 23 14:30:02 1997 >Last-Modified: Tue Sep 23 20:16:52 PDT 1997 >Originator: ekonge@ccaa.edu >Organization: >Release: Apache 1.1.3-3 >Environment: Linux abraham.ccaa.edu 2.0.30 #2 Sat Aug 30 17:53:48 EDT 1997 i586 unknown >Description: Basically, when cgi-scripts are run by our users they run as nobody instead of the users id. We want alieve this problem by making the script run as the user. We are not sure if this will be a security issue or not. My thought is that having nobody running several httpd daemons and then a number of cgi scripts from out users guestbooks us a big security risk. It also causes us a problem tracking down the run on process caused by a script. Is there a way to keep that script running as the user's id. I know there is a way to do this Front Page allows this with virtual hosts, but this is a college campus and we can't exactly set up 400 virtual hosts for our users. Can anyone provide us with the information to combat this problem? >How-To-Repeat: http://www.ccaa.edu/~bilbrj/sign.htm >Fix: No Idea, I am hoping you can tell me how to do this. We need to make it so that cgi scripts ran out of the users directories will be run by there id and not nobody. It worries me and I think it might cause a security risks with nobody popping up in all of the process running >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: marc State-Changed-When: Tue Sep 23 20:16:52 PDT 1997 State-Changed-Why: The is a basic configuration question that is covered by the docs and which is not appropriate in a bug reporting database. Please review the Apache documentation, especially that on suexec ( http://www.apache.org/docs/suexec.html ). Note that running scripts as users tends to increase your overall security risk, because now you are risking all your accounts if the user is stupid instead of just one throwaway account. >Unformatted: