MC on Apache and CGI
Pierre Sahores
psahores at easynet.fr
Sun Dec 8 16:45:01 EST 2002
Just as an add-on to what Andu and Sivakatirswami answered previously
:-)
>
> Pierre,
>
> > It's, basicaly, two ways you can install mc to have it running behind
> > Apache.
> >
> > 1.- As a simple cgi engine : just drop the mc engine where you want (but
> > not in a directory where any bad guy will expect to find it) and add the
> > right path head your mc-cgi scripts, alike "#!/the path/mc". Verify that
> > the right permissions are ok to let the cgis lauchables by the mc engine
> > and it will be ok.
> >
>
> That's what has been done (AFAIK) and it works OK.
>
> Although your comments raise a few important questions that
> I'll have to discuss with the UNIX guy :
> - what is the best directory to drop the mc engine so that
> no bad guy finds it ?
> - and what can happen if any bad guy finds it ?
> - is there anything specific that can be done (by a bad guy) with MC
> as a simple cgi engine that can't be done with a php or perl engine ?
> - does it have to do with the presence of a "wrapper" (I've seen
> that word at times in articles / discussions about cgi engines) ?
> - are there any safety measures to take to prevent that ?
Don't use the "GET method" in cgi scripts, including mc-based cgis. If
you use only the "POST method" in your mc-cgi scripts, including fine
conditional closed-list of the possibles replies to each incoming
request, excluding any possibility of replying outside of the previous
listed cases, mc will never become an unsecure deamon as long as it will
stay unlauchable by any "backdoor app" installed in any way on the
server. To be sure about that, and this is not specific to mc, as long
as there are many others engines availables on a server (perl, php,..
and, even, the gcc c compiler,...), the best - and it's what i do for my
own servers - is to pay a security consultant to update, with
regularity, your configs and have an eye on your servers againt bad
risks of security holes.
> And as for permissions : I know that the right permissions have
> to be set to mc-cgi scripts and text files used by those scripts, but
> have the feeling that there must be some specific other permissions to
> set in the Apache configuration to allow mc-cgi scripts to be triggered
> by external requests... If yes, can those permissions be set for one
> domain name only ?
>
> More on this issues, please...
>
> Thanks a lot,
> JB
>
I agree about what you seen in your logs, Andu ! It's the same there :
some ones are trying to hack "the NT directories structure" of my Linux
servers ! It's not a valuable reason to think that nobodyvill never be
able to hack a right securised box ;-)
To the end, we are more and more liestening, those days, about the
"proxy applications" security concept and i'm far sure that mc is the
"must have" tool to build such kind of firewall proxies apps !
--
Cordialement, Pierre Sahores
Inspection académique de Seine-Saint-Denis.
Applications et bases de données WEB et VPN
Qualifier et produire l'avantage compétitif
More information about the metacard
mailing list