cgi-bin, bash scripts and security

blastman

blastman

blastman

Associate
Joined
8 Mar 2007
Posts
2,176
Location
between here and there
Hi chaps,

I have a website which when you fill in a form, fires a bash script located in the cgi-bin folder to do some stuff.

My question is, how can i lock the script down, so that it can't be run unless your logged into the site?

script location: /var/www/cgi-bin/script
website: /var/www/website1/public_html/

Now, I'm thinking that since the cgi-bin folder is higher up in the folder structure than the site it's self am I right that you couldn't access it via a url anyway?

I'm already doing a check for inappropriate input from the user BEFORE the script is fired in an effort to stop any bash/mysql injection, but I'd like to beef up my security, just in case.

Any thoughts?

thanks in advance
 
blastman said:
Hi chaps,

I have a website which when you fill in a form, fires a bash script located in the cgi-bin folder to do some stuff.

My question is, how can i lock the script down, so that it can't be run unless your logged into the site?

script location: /var/www/cgi-bin/script
website: /var/www/website1/public_html/

Now, I'm thinking that since the cgi-bin folder is higher up in the folder structure than the site it's self am I right that you couldn't access it via a url anyway?

I'm already doing a check for inappropriate input from the user BEFORE the script is fired in an effort to stop any bash/mysql injection, but I'd like to beef up my security, just in case.

Any thoughts?

thanks in advance
Click to expand...

You could write the script in such a way that it'd require a username and password to run, and thus you pass this when you want to call it. In addition to that, make the file only executable the user who should be running it, whether that be a group of users, or the webserver. It depends on how your website is running, in particular. Keeping the script out of the public directory is a good idea, though technically if you leave the appopriate holes in your code, people can still get to it. Security is something that requires constant vigilance. It's somewhat like a stack of cards, or a chain where you're only as strong as your weakest link. You should assume your security will be ineffective, and thus on top of preventing issues, you need to consider how to handle them when they do occur.
 
thanks for the reply.

I will look into adding the apache user into a new 'web' group, then only allow root and web to excute the file. that should help.

I'll then see if I can query mysql to see when the user who is running the script (username already being passed over) last logged on and if older than 20 minutes, log and fail to run.

I'll have to set all sessions to expire after 15 minutes, but that should cover it.

thanks.
 
You must log in or register to reply here.
Back
Top Bottom