[Solved] Question about cgi config security warning

Added by booshnelli about 1 year ago


Just installed lighttpd with the intent of setting up some plain old cgi stuff to run on my lan. Was reading the docs and looking at examples of how to implement it, and noticed that /etc/lighttpd/conf-available/10-cgi.conf reads:

# /usr/share/doc/lighttpd/cgi.txt

server.modules += ( "mod_cgi" )

$HTTP["url"] =~ "^/cgi-bin/" {
        cgi.assign = ( "" => "" )
        alias.url += ( "/cgi-bin/" => "/usr/lib/cgi-bin/" )

## Warning this represents a security risk, as it allow to execute any file
## with a .pl/.py even outside of /usr/lib/cgi-bin.
#cgi.assign      = (
#       ".pl"  => "/usr/bin/perl",
#       ".py"  => "/usr/bin/python",

The commented out bit is what caught my eye in particular... and my question being, if configuring cgi.assign like described here would allow for executing .pl/.py files outside of /usr/lib/cgi-bin for instance, what would a more proper/safer implementation look like? One where that wouldn't be possible?

Please excuse me if I'm not grasping something fundamental here, all this old stuff is rather new to me! Haha


Replies (2)

RE: Question about cgi config security warning - Added by gstrauss about 1 year ago

If you are serving a static site of static files, then your risk level is low. If you put a file under the document root, it may be available to be served by lighttpd to an external HTTP client.

Once you start allowing external parties (clients) to trigger execution of scripts on your server, and to provide untrusted client-provided data to those scripts, your risk level increases. If your scripts are not secure, then your server resources and data are at risk, since the scripts execute on the server.

If you are the only person who has access to your server and you are careful what files you make available in the document root, then the risk level does not change. However, if other people might be able to put executable files into your document root, that is a big increase in risk.

Way back when the internet was younger and computers were much less powerful, a single server might provide "shared hosting" to multiple people. On such a server, the "cgi-bin/" directory might be locked down to administrators, and those admins might provide shared cgi scripts, e.g. a contact-me CGI script, to be used by others. On such systems, "cgi-bin" was more protected than the rest of the document root.

However, if you do not protect "cgi-bin/" then there is no difference in risk between "cgi-bin" and elsewhere in the document root. That is not to say there is no risk -- it simply says that the risk is the same under the document root.

Ultimately, it is your choice where to allow executable scripts, and how to manage those scripts and permissions to modify those scripts or locations.

RE: Question about cgi config security warning - Added by booshnelli about 1 year ago

Ah i see, so more a general warning on the nature of it all... perhaps I was overthinking things. Well thank you for the handy recap of the fundamentals & best practices! (and the speedy reply!) I'll be certain to keep them in mind when mucking about with cgi scripts the same I do for user-triggered/user-inputted scripts of other kinds.

But just in case anyone is interested I collected a couple resources on security tips specifically focussed on cgi: