eXtropia: the open web technology company
Technology | Support | Tutorials | Development | About Us | Users | Contact Us
Resources
 ::   Tutorials
 ::   Presentations

presentations: Wrapping CGI Scripts
Presentations by eXtropia CTO Gunther Birznieks  

Apache 1.2 introduced a wrapper called suEXEC. With suEXEC, developers are protected from damaging or viewing other developers' confidential work. However, used improperly, suEXEC can open up a host of other security issues.

The slides cover how suEXEC can be used as well as the differences between alternative wrappers such as cgiwrap and sbox. In addition, the impact the wrappers have on CGI developers are shown.

Originally presented at the first ApacheCon/San Francisco, June 1998.

Zipped Powerpoint (37K) | PDF (59K)


Get Acrobat Today!

Introduction  

Apache 1.2 introduced a wrapper called suEXEC. With suEXEC, developers are protected from damaging or viewing other developers' confidential work. However, used improperly, suEXEC can open up a host of other security issues.

The slides cover how suEXEC can be used as well as the differences between alternative wrappers such as cgiwrap and sbox. In addition, the impact the wrappers have on CGI developers are shown.

Finally, Shortcomings of these wrappers are also addressed. Some development models may be better off using a multiple-server configuration approach instead of wrappers. For managing these cases, Apache-specific administration techniques such as the use of mod_proxy and mod_rewrite are included in the slides.

Summary of Feature Differences

suExec CGIWrap v3.6.2 sbox v.98
Current Working Directory Transparent to Web Developers YYN
URL Transparent to Web Developers (w/o mod_rewrite) YNN
CHROOT Support NNY
Supports Virtual Host Section User Directive YNN
Extensive CGI Debugging Output Support NYN
Resource Limit Checking NYY
Integrates with AFS Security NYN
Has check for script symlink YYN
Cleanse environment of non-CGI vars YNY
Log script execution NYN
Limit subdirectories NYN
Experimental (Not Released officially) NNY
Use setgid instead of setuid mode NNY
Check to see if running as web server group NNY

NOTE: The slides also discuss using multiple web servers running with different UIDs as another option. The summary table above is really a quick glance at the difference between various wrappers. Generally the sophisticated features of an SUID program like a wrapper are not applicable to comparison against multiple programs already set up with different security setups.

In addition, the table above only shows differences between the wrapper programs. There are common security checks and precautions that all these CGI wrappers use.

The people who have contributed most directly to my efforts here are Mark McDonald, Scott Clasen, Bill Lee, Anthony Masiello, Peter Chines, Selena Sol, and Erik Ferlanti.