[fpc-pascal]Login CGI

Andreas K. Foerster AKF at AKFoerster.de
Tue Oct 16 19:37:26 CEST 2001


On Tue, Oct 16, 2001 at 02:54:54PM +0200, Cyril Lamy wrote:

> > If you want to have root privileges, simply make the CGI program
> > setuid root.
> > But don't blame me, if someone kills your system!
> 
> It is very dangerous to run a cgi script as root.
> any hole in the cgi can be an enty point to break your system

I just forgot the smiley.

> I recently made an web-interface to create unix accounts on a server :
> You have a form that require a the username and a password to create
> the corresponding account.
> This page is protected by a .htaccess (the server is running apache).
> 
> When you validate the form, the cgi create a file containing the username
> and the plain password. (not
> very sure, of course but more secure than running cgi as root).

You could make it more secure when you make this:
chmod('filename', 0);
Then only root can read the file.

> Then , the cron daemon execute all ten minutes a program that have the
> setuid set to root and this program
> read the file created by the cgi, verify datas and then create unix
> accounts.
> 
> This method is not 100%secure but it shows you how to avoid cgi running as
> root.

Very good idea.
Thanks!

-- 
Tschuess
	Andreas




More information about the fpc-pascal mailing list