[tlug] Re: tlug] Security question with grep/e...

[Jim Breen <Jim.Breen@example.com>]

"Stephen J. Turnbull" <stephen@example.com> wrote:
>> 
>> >>>>> "Jim" == Jim Breen <Jim.Breen@example.com> writes:
>> 
>>     Jim> [...] the CGI program would do a system() call [...]
>> 
>> Since you care about the host, don't do system() calls.  There are too
>> many ways to break the call itself, and you then become hostage to any
>> security holes that may exist in the called programs as well.

Can you be more specific about the risks? As I understand it, doing a 
system("foobar par1 par2"); just stokes up /bin/sh under my account (it's
usually cgiwrap or equivalent) and runs foobar. No different from my running
foobar myself. I'm not doing it with anything suid, etc. I don't have su
rights on the host.

>> What's wrong with using the native regexp facility of whatever you're
>> using to write the CGI?  Even if it's in C or C++, the POSIX regcomp/
>> regexec facility is not rocket science to use.  That's what you'd be
>> using with grep, anyway, AFAIK.

Two reasons:

(a) laziness. It's easier to stoke up a system call than open the file and
do it line-by-line. Actually it's *MUCH* easier than regexec()'s
horrible call;

(b) portability. I have actually found some of those libraries not
so smoothly implemented. Since I have mirrors on Solaris, AIX, FreeBSD
and almost all Linices, system("egrep ..."); seemed more likely to 
work on them all. (iconv(), for example, has some problems on the AIX
system, probably because of code-table differences.)

Brett Robson <b-robson@example.com> wrote:

>> OS stuff in cgi is a nightmare, 

system() in C isn't exactly OS level. It's really a way of spawning
a program and returning once it has finished.

>> I'd prefer to use Perl's built in stuff
>> do to that. If you aren't programming in Perl perhaps a Perl wrapper
>> would be best.

Steve's suggestion of regcom/regexec achieves the same, and avoids
using a <shudder>Perl wrapper</shudder>.

>> The most obvious thing of course is to make sure the web server's
>> privileges  are restricted.

Of course. But I don't see how this is affecting privileges. It all runs
in my space and with my guid, etc.

>> ps it's bloody cold in Tokyo.

Balmy here. Low 20s each day. Just that slight autumnal nip in the
air early on.

Cheers

Jim

-- 
Jim Breen                                http://www.csse.monash.edu.au/~jwb/
Computer Science & Software Engineering,                Tel: +61 3 9905 9554
Monash University, VIC 3800, Australia                  Fax: +61 3 9905 5146
(Monash Provider No. 00008C)                ジム・ブリーン@モナシュ大学