Forum
Improve Security of our cgi-wrapper
Marco
26 September 2009, 11:59
Hiawatha version: all versions
Operating System: linux with new kernel 2.6 series
I hope that Hugo did not take offense if I post this little trick ;-)
We can remove suid bit permission of cgi-wrapper and it work fine.
1) Verify if in your linux dist there is libcap utility and if your
kernel is compiled with option CONFIG_SECURITY_FILE_CAPABILITIES=y.
2) If yes type this simple command:
chmod u-s /usr/local/sbin/cgi-wrapper
setcap cap_setgid,cap_setuid+ep /usr/local/sbin/cgi-wrapper
NOW!!! CGI-WRAPPER work fine without any suid permission!!!
I have tested it with perl end virtual directory.
If your system do not have this capability you can recompile the kernel
and download this package:
ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/libcap2
You can remove many bit suid of files in your system like:
su
passwd
ping
chown
Xorg
ecc...
After having 'stressed' Hugo with Hiawatha and OpenBSD....
I hope to have write something of nice and interesting ;-)
Bye
Operating System: linux with new kernel 2.6 series
I hope that Hugo did not take offense if I post this little trick ;-)
We can remove suid bit permission of cgi-wrapper and it work fine.
1) Verify if in your linux dist there is libcap utility and if your
kernel is compiled with option CONFIG_SECURITY_FILE_CAPABILITIES=y.
2) If yes type this simple command:
chmod u-s /usr/local/sbin/cgi-wrapper
setcap cap_setgid,cap_setuid+ep /usr/local/sbin/cgi-wrapper
NOW!!! CGI-WRAPPER work fine without any suid permission!!!
I have tested it with perl end virtual directory.
If your system do not have this capability you can recompile the kernel
and download this package:
ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/libcap2
You can remove many bit suid of files in your system like:
su
passwd
ping
chown
Xorg
ecc...
After having 'stressed' Hugo with Hiawatha and OpenBSD....
I hope to have write something of nice and interesting ;-)
Bye
Samiux
29 September 2009, 03:06
Hiawatha version : 6.17.1 (CGI-Wrapper bug fixed)
Operating System : Ubuntu 9.04 Server
Introduction
I am glad to hear that Hiawatha's cgi-wrapper working fine with Capabilities. I would like to make my webserver more secure than before, although I already know that application flaws are also need to be concerned.
Background
Ubuntu 9.04 Server has libcap2 already installed. It is believed that the Kernel option CONFIG_SECURITY_FILE_CAPABILITIES=y is set and compiled with.
However, Ubuntu 9.04 server comes without libcap2 commands. Therefore, the following package to be installed for the purpose.
In addition, CGI-Wrapper is works fine before implement of the Capabilities.
Capabilities Implementation
Then issued the following commands to cgi-wrapper and no error displayed.
The result of getcap :
Problem
When I visit my site, "500 - Internal server error" comes to my eyes. And the error in the log is attached.
/var/log/hiawatha/error.log :
Questions
(1) What is wrong for my setup? Do I need to reboot the system?
(2) What if I reset the suid to the original and still set capabilities?
Samiux
Operating System : Ubuntu 9.04 Server
Introduction
I am glad to hear that Hiawatha's cgi-wrapper working fine with Capabilities. I would like to make my webserver more secure than before, although I already know that application flaws are also need to be concerned.
Background
Ubuntu 9.04 Server has libcap2 already installed. It is believed that the Kernel option CONFIG_SECURITY_FILE_CAPABILITIES=y is set and compiled with.
However, Ubuntu 9.04 server comes without libcap2 commands. Therefore, the following package to be installed for the purpose.
sudo apt-get install libcap2-bin
In addition, CGI-Wrapper is works fine before implement of the Capabilities.
Capabilities Implementation
Then issued the following commands to cgi-wrapper and no error displayed.
sudo chmod u-s /usr/sbin/cgi-wrapper
sudo setcap cap_setgid,cap_setuid+ep /usr/sbin/cgi-wrapper
The result of getcap :
/usr/sbin/cgi-wrapper = cap_setgid,cap_setuid+ep
Problem
When I visit my site, "500 - Internal server error" comes to my eyes. And the error in the log is attached.
/var/log/hiawatha/error.log :
Tue 29 Sep 2009 08:06:25 +0800|192.168.0.1|/var/www/index.php|CGI-Wrapper v6.17.1|Only the Hiawatha webserver is allowed to execute this program.
Tue 29 Sep 2009 08:06:25 +0800|192.168.0.1|/var/www/index.php|no output
Questions
(1) What is wrong for my setup? Do I need to reboot the system?
(2) What if I reset the suid to the original and still set capabilities?
Samiux
Samiux
29 September 2009, 03:52
Problem solved
I forgot that the apparmor is enforced.
I forgot that the apparmor is enforced.
Marco
29 September 2009, 19:31
Don't worry Samiux, I have already tried it on my ubuntu like your,
without apparmor.
without apparmor.
Samiux
30 September 2009, 03:47
Marco,
My site is working fine under Capabilities, AppArmor and CGI-Wrapper except the Alias feature.
Samiux
My site is working fine under Capabilities, AppArmor and CGI-Wrapper except the Alias feature.
Samiux
Samiux
30 September 2009, 05:42
Marco,
The suid and setcap settings of cgi-wrapper will be restored to original when the Ubuntu kernel is updated.
Samiux
The suid and setcap settings of cgi-wrapper will be restored to original when the Ubuntu kernel is updated.
Samiux
Marco
2 October 2009, 21:58
You can make a simple script for restore capabilities to run after kernel update.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
