Pp. 145–156 of the Proceedings

#!/bin/sh
echo -e "Content-type: text/plain\n"
echo "Hello world!"

#!/usr/local/bin/perl
use CGI qw(:standard);

$mailto   = param('mailto');
$subject  = param('subject');
$contents = param('contents');

open (MAIL,"|mail -s $subject $mailto");
print MAIL $contents";
print MAIL ".\n";
close MAIL;
print "Content-type: text/plain\n\n"
print "Mail sent to $address.";

hackers_r_us@hackers.com</etc/passwd

mail hackers_r_us@hackers.com</etc/passwd

#!/usr/local/bin/perl
fork() while 1;

https://www.site.com/~fred/guestbook.cgi

https://www.site.com/cgi-bin/cgiwrap/fred/guestbook.cgi

1.      sbox calls suid() to run the requested script with the privileges of the owner of the script or the script's containing directory.

2.      It calls sgid() to run the requested script under the privileges of the group that owns the script or the script's containing directory.

3.      It performs consistency checks on the script file and directory ownerships to catch insecure situations such as world-writable scripts.

4.      It establishes limits on the script's use of CPU, memory, processes, files and other resources.

5.      It calls chroot() to run the target CGI script in a restricted change-root directory locatated within the user's home directory.

6.      It cleanses the environment of information that is not germaine to CGI scripts.

7.      It logs its actions and executes the target script.

https://www.site.com/cgi-bin/sbox/~fred/guestbook.cgi

1.      sbox checks that it was launched by the unprivileged user and group that the Web server runs as, for example nobody and nogroup. This check is to avoid the possibility that some user or group is trying to exploit the script's set-user-id features from the command line.

2.      It checks whether it was launched by the root user, and aborts if so. This is often a sign that the Web server is misconfigured.

3.      It checks the target CGI script for set-user-id and set-group-id bits and refuses to run if so. Untrusted users shouldn't be allowed to write suid or sgid scripts.

4.      It checks that the target CGI script is executable by other, and aborts if not, assuming that the script's author had some reason for turning off the world execute bit.

5.      It checks that neither the target CGI script nor its enclosing directory is owned by unprivileged user and group that the web server runs as. If the target is owned by this user, it's possible that it is a trojan horse created by a file upload script.

6.      It checks that neither the target file nor its enclosing directory is world writable.

7.      If the chroot() feature is active, it checks that the target script is located within the directory that will become the new root. This is a prerequisite for launching the script after the chroot() call.

8.      Lastly, sbox checks that the target and its enclosing directory are owned by users and/or groups in an approved range, usually high-numbered IDs. This prevents sbox from being tricked into running a script as a special user such as bin.

ROOT     ".."
CGI_BIN  "../cgi-bin"

% ls -l /u/fred/pub
total 10
drwxr-xr-x   2 fred   users  1024 Oct 23 06:27 bin/     system binaries
drwxr-xr-x   3 fred   users  1024 Oct 19 20:44 cgi-bin/ CGI scripts
drwxr-xr-x   2 fred   users  1024 Oct 12 16:59 dev/     device special files
drwxr-xr-x   2 fred   users  1024 Oct 19 17:57 etc/     configuration files
drwxr-xr-x   2 fred   users  1024 Oct 22 19:14 html/    HTML document root
drwxr-xr-x   3 fred   users  1024 Oct 19 20:35 lib/     shared libraries
drwxr-xr-x   2 fred   users  1024 Oct 23 05:48 tmp/     temporary files

When sbox starts up, it determines the user's document root by looking at the Apache settings, which reveals the directory /u/fred/pub/html. It applies the CGI_BIN relative path, to give /u/fred/pub/cgi-bin as the directory in which to search for the CGI executable, and then applies the ROOT relative path to give /u/fred/pub as the directory that will become the new root. When sbox makes the chroot() call, /u/fred/pub becomes the top of the directory tree, creating a directory hierarchy with a structure similar to a Unix root filesystem. Files and directories above pub, which might include the user's private files, are off limits.

A drawback to this scheme is that it makes the user's entire document tree visible to his CGI scripts, which might not always be desirable. However a slight modification improves the scheme by making only a selected portion of the user's document tree visible. In this improved scheme, the Web server is configured so that the user's document tree is found, for example, in /u/username/public_html, and sbox is configured to change its root to a directory named sbox that is completely outside the public_html document tree:

ROOT       "../sbox"
CGI_BIN    "../sbox/cgi-bin"

For this configuration to work seamlessly, the user's directory should be set up something like this:

% ls -F /u/fred
public_html/                         document root
public_html/sbox/ -> ../sbox/html/   symbolic link
sbox/bin/
sbox/cgi-bin/                        CGI scripts
sbox/etc/
sbox/lib/
sbox/html/
sbox/tmp/
...

The user's CGI scripts will now execute within the restricted sbox subdirectory and have no access, by default, to the user's HTML document tree. However the user can grant access to selected HTML documents by placing them into public_html/sbox/, which is connected via a symbolic link to sbox/html/. This allows CGI-accessible files to be accessed directly with a URL like this one:

https://www.site.com/~fred/sbox/index.html

while sbox-controlled CGI scripts are accessed with a URL like this one:

https://www.site.com/cgi-bin/sbox/~fred/guestbook

and CGI scripts that need to read or manipulate static HTML files are passed the additional path information in URLs like this one:

https://www.site.com/cgi-bin/sbox/~fred/guestbook/html/index.html

If the Apache web server is being used, these URLs can be simplified significantly with URL rewriting rules. An example of this is shown below.

Environment Cleansing

Before executing the target CGI script, sbox sets up a clean environment to run the target in. Depending on how the Web server was launched, there may be residual information in the environment that is not germaine to the CGI protocol or may in fact divulge sensitive information, such as database authentication information, or private PATH directories.

sbox filters the current environment, allowing through only those environment variables that are specified by the CGI/1.1 protocol, such as REMOTE_ADDR, or which contain fields from the incoming HTTP request header, such as HTTP_USER_AGENT. In addition, sbox recognizes and permits a small number of common extensions to the CGI/1.1 protocol, such as the DOCUMENT_ROOT and SERVER_ADMIN variables.

Other variables are not automatically copied into the target script's environment. In particular the PATH environment variable, because of its history of exploitation is not passed through. Instead PATH is set up using a constant "safe path" set at compile time. By default, the safe path is "/bin:/usr/bin:/usr/local/bin". Because the target script will be running in a change-root directory, it is likely that only /bin will be available to the target script.

When possible, sbox adjusts path-related environment variables so that they correctly reflect the change-rooted filesystem seen by the user's CGI scripts. Among the environment variables that are adjusted are the DOCUMENT_ROOT variable, which should point to the top of the user's document tree and PATH_TRANSLATED, which points to the file passed to the user's CGI script as additional path information.

Logging

Before passing control to the user's CGI script, sbox logs its actions. It prints out a timestamp, the name of the CGI script being executed, and the UID and GID of the process that it will execute the script as. Diagnostic information is also logged when sbox's consistency checks fail, or when an error occurs during the processing or execution of the target CGI script.

By default, sbox sends its log entries to standard error, which on most web servers becomes incorporated into the shared server error log file. However sbox can instead be configured to write entries into a private log file. There's there's a performance penalty in keeping a private log file, since sbox must open the file for appending every time it runs.

The main rationale for having a log entry for each CGI script executed is that it provides an audit trail in the case of a CGI-based attack. The time of the attack can be correlated with the sbox log, and possibly lead to the identification of the script that was exploited. The sbox log could also be used to monitor CGI script usage for patterns suggestive of probing activity.

Practical Considerations

Configuring the sbox executable and preparing user-supported directories are the most tedious parts of using the sbox system. In order to reduce dependencies on the external environment, sbox does not use a configuration file. Instead, all its operational parameters are determined at compile time via a series of preprocessor #defines. About three dozen defines are contained in a single include file, sbox.h, which the system administrator must edit before compiling the executable. Fortunately, the vast majority of the defines are boilerplate values which will not need to be changed by most sites. Only about a half dozen are truly site-specific.

System administrators used to modern configuration scripts will probably be disappointed by this primitive configuration process, even though it is simple and straightforward. For this reason, a GNU configure style configuration script [Freisenhalm 1997] is currently in preparation.

A more onerous task is setting up user-supported directories so that their CGI scripts run correctly in a change-root environment. On most modern Unices, compiled programs need one or more shared libraries in order to execute. Either the user's CGI scripts must be compiled statically, or the new root directory must contain a /lib subdirectory (or the dialect's equivalent) containing the shared libraries the user needs.

Other system support files may needed as well. CGI scripts that require access to the DNS system for hostname resolution will need an /etc subdirectory containing resolv.conf. Scripts that perform time calculations may need access to the compiled timezone file, /usr/lib/zoneinfo/localtime. Programs that need access to device special files, such as /dev/null and /dev/zero will need the appropriate files created with the mknod program. Scripts written in interpreted languages such as Perl will require a /bin directory containing the interpreter executable, and any support files that the interpreter needs, such as code libraries.

Clearly there are drawbacks to replicating a good chunk of the root filesystem for each user-supported web directory. For one thing, the disk storage requirements may become prohibitive on a system with many users. One solution is to limit the type of CGI scripts that users can write to a particular development system, such as Perl. Then only those files needed to support the Perl interpreter will have to be copied into the user's scripting directory.

Another solution to this problem is to use NFS to mount a trimmed set of /lib, /bin, and /etc directories in each user-supported directory. Even after the chroot() operation, the contents of these directories will continue to remain available to the user's CGI scripts. Although this technique creates a lot of mount points, the overhead for unused NFS mounts is minimal [Stern 1991], and an automount daemon can be further used to reduce the load [Crosby 1997]. However if this technique is used, care must be taken not to mount directories that contain sensitive information, such as an /etc directory that contains a live passwd file. This would defeat the purpose of the change-root system.

A minor drawback to using sbox is that it is not completely transparent to the user. Instead of writing natural-looking CGI URLs, users have to be trained to interpose /cgi-bin/sbox in front of any URL that points to a CGI script. On Apache servers, an elegant solution to this problem is to use the mod_rewrite URL rewriting module to automatically add the /cgi-bin/sbox prefix to users' CGI URLs.

For example, one could use a mod_rewrite URL rewrite rule to transform URLs of the form:

/~fred/cgi/guestbook

into URLs of the form:

/cgi-bin/sbox/~fred/guestbook

by adding these directives to Apache's configuration file:

RewriteEngine On
RewriteRule ^/~(.+)/cgi/(.+)  /cgi-bin/sbox/~$1/$2  [PT,NS]

Neither the remote user nor the the script's author ever sees the longer URL. The name transformation is completely transparent. As a bonus, this rewrite expression also correctly handles additional path information appended to the end of the URL.

In order to perform its suid(), sgid(), and chroot() functions, sbox must run with superuser privileges. This means that, like cgiwrap and suEXEC, it must be installed set-user-id to root. This fact should give any cautious Unix system administrator pause. However, sbox consists of only 700 lines of C code, all of which are available for public scrutiny. sbox is careful to avoid using static buffers and string copy operations that could cause a buffer overflow. It also checks its environment at startup time to confirm that it was invoked by the web server and not some other local user.

Conclusions

The sbox wrapper increases the security of web sites that need to run untrusted CGI scripts. It prevents different users' CGI scripts from interfering with each other by running each user's program under distinct user and group IDs. It prevents user-maintained scripts from accessing sensitive parts of the file system by running each script in a change-root directory. It lessens the impact of denial of service attacks by establishing per-process resource limits, and it avoids certain common misconfigurations by checking the environment for consistency before it launches the target CGI script. Lastly, it creates an audit trail that can be used to track down malicious or poorly implemented CGI scripts.

sbox is not a panacea for CGI woes. There are a variety of CGI-based attacks that sbox cannot prevent. Chief among these are network-based attacks. For example, if a CGI script can be tricked into probing a firewall system from within the protected network, there is nothing that sbox can do to prevent this type of attack. To completely insulate the user's environment from that of the host, you need to step out of the Unix domain and use a partitioned operating system, such as Hewlett Packward's VirtualVault technology [Hewlett Packard 1998].

Finally, it is important to remember that the sbox wrapper alone won't make a Web site secure. CGI script precautions are just one component of a carefully considered site security policy that includes attention to operating system security, web server configuration, operating and backup procedures, and user education. While nothing is ever going to completely eliminate the risk of running untrusted CGI scripts on a Web server, the sbox wrapper does go a long way towards limiting the potential damage that poorly-written or malicious scripts can inflict.

Bibliography

• The Apache Group (1998). Apache suEXEC Support. https://www.apache.org/docs/suexec.html

Coar, K., and Robinson, D. (1998) The WWW Common Gateway Interface, Version 1.1. Internet Draft. ftp://ftp.ietf.org/internet-drafts/draft-coar-cgi-v11-00.txt

Computer Emergency Response Team (CERT), 1996-1998. Multiple CGI-related advisories. ftp://ftp.cert.org/pub/cert_advisories/

Crosby M. (1997). AMD--AutoMount Daemon. The Linux Journal 35, March 1997. https://www.ssc.com/LJ/issue35/amd.html

Fowler, G. (1993). The Shell as a Service. Usenix Summer 1993 Technical Conference Proceedings, Cincinnati, Ohio. https://www.usenix.org/publications/library.

Friesenhalm B. (1997). Autoconf Makes for Portable Software. Byte, November 1997.

Hewlett Packard, Inc. (1998). HP Internet Security / VirtualVault Home Page. https://www.hp.com/security/products/virtualvault/

Garfinkle S., with Spafford G. (1997). Web Security & Commerce. O'Reilly & Associates, Sebastopol CA.

Microsoft Corporation (1998). FrontPage 98 - Overview. https://www.microsoft.com/products/prodref/571_ov.htm

Neulinger N. (1996-1998). cgiwrap https://www.umr.edu/~cgiwrap/

Rubin A., Geer D., and Ranum M. (1997). Web Security Sourcebook. John Wiley & Sons, New York.

Stein, L. (1997). How to Set Up and Maintain a Web Site, Chapters 8-9. Addison-Wesley Longman, Boston.

Stein, L. (1998). Web Security: A Step-by-Step Reference Guide. Addison Wesley Longman, Boston.

Stein L. (1998). The Offical Guide to Programming with CGI.pm. John Wiley & Sons, New York.

Stein L. (1998). The Web Security FAQ. https://www.w3.org/Security/Faq

Stern H. (1991). Managing NFS and NIS. O'Reilly & Associates, Sebastopol, CA.