Creating custom execution environment includes the following steps:
Installing suid and Cgistub
Creating a cgi-bin directory
Specifying a chroot directory for the virtual server
Cgistub enforces the following security restrictions:
The user the CGI program executes as must have a uid of 100 or greater. This prevents anyone from using Cgistub to obtain root access.
The CGI program must be owned by the user it is executed as and must not be writable by anyone other than its owner. This makes it difficult for anyone to covertly inject and then remotely execute programs.
Cgistub creates its UNIX listen socket with 0700 permissions.
Socket permissions are not respected on a number of UNIX variants, including current versions of Sun operating systems/Solaris. To prevent a malicious user from exploiting Cgistub, ensure that the server's temporary directory is set (using the server.xml temp-path element) to a directory accessible only to the server user.
You cannot install the suid Cgistub program on an NFS mount. If you want to use an suid Cgistub, you must install your server instance to a local file system.
Log in as a superuser.
Create the private directory for Cgistub in the install-dir/https-instance/private directory:
cd install-dir/https-instance
mkdir private
If you install Cgistub in any other directory, you must specify the path to Cgistub in the init-cgi function in the magnus.conf file. For details, see the Sun Java System Web Server 7.0 Update 4 Administrator’s Configuration File Reference.
Copy Cgistub to the private directory.
cd private
cp ../../lib/Cgistub.
Set the owner of private to the server user.
chown user .
Set the permissions on private.
chmod 500.
Set the owner of Cgistub to root.
chown root Cgistub
Set the permissions on Cgistub.
chmod 4711 Cgistub
Provide reference to the send-cgi SAF in obj.conf a user parameter.
For example: Service fn="send-cgi" user="user"
You can use variable substitution. For example, in server.xml, give a virtual-server element the following variable subelement:
<variable user="user"\>
This modification to server.xml means, you can write the send-cgi SAF line in the obj.conf as follows:
Service fn="send-cgi" user="$user"
For more information about server.xml and send-cgi in the obj.conf file , see the Sun Java System Web Server 7.0 Update 4 Administrator’s Configuration File Reference.
Restart the server to apply the changes.
To prevent a virtual server’s CGI programs from interfering with other users, the CGI programs must be stored in a unique directory and executed with the permissions of a unique UNIX user and group.
Create the UNIX user and group. The exact steps required to create a user and group vary by operating system. For instructions, refer your operating system's documentation.
Log in as a superuser.
Change to the document root directory for the virtual server.
cd document-root
Create the cgi-bin directory and set appropriate permissions.
mkdir cgi-bin chown user:group cgi-bin chmod 755 cgi-bin |
Set the virtual server’s CGI directory, user, and group in one of the following ways.
Modify the obj.conf file.
Use the user and group parameters of the send-cgi Service SAF in the obj.conf file. For detailed instructions, see the Sun Java System Web Server 7.0 Update 4 Administrator’s Configuration File Reference.
In the Admin Console,
Select Common Tasks tab. .
Select CGI Directories from the Virtual Server Tasks list
The CGI Settings window is displayed.
Type the user and the group that can execute CGI programs.
For more information on CGI directories, see the Sun Java System Web Server 7.0 Update 4 Administrator’s Guide.
Use the set-cgi-prop command to define a unique CGI directory, UNIX user and group for a virtual server.
For example:
/wadm set-cgi-prop --user=admin --password-file=admin.pwd --host=serverhost --port=8989 --config=config1 user=admin group=group
To further improve security, the CGI scripts must be prevented from accessing data above and outside of the document-root directory.
Set up the chroot environment. The exact steps required to set up the chroot environment vary by operating system. For instructions, refer your operating system’s documentation, and see the man pages for the ftpd and chroot commands.
Steps required for Solaris versions 2.8 through 10 are described in the following procedure:
Log in as a superuser.
Change to the chroot directory.
chroot is typically the document-root directory of the virtual server.
cd chroot
Create tmp in the chroot directory and set appropriate permissions.
mkdir tmp
chmod 1777 tmp
Create dev in the chroot directory and set appropriate permissions.
mkdir dev
chmod 755 dev
List /dev/tcp, and note the major and minor numbers of the resulting output.
# ls -lL /dev/tcp
crw-rw-rw- 1 root sys 11, 42 Apr 9 1998 /dev/tcp
In this example, the major number is 11 and the minor number is 42.
Create the tcp device using the major and minor numbers.
mknod dev/tcp c 11 42
chmod 666 dev/tcp
Repeat steps 4, 5, and 6 for each of the following devices.
Each device will have a different major and minor number combination.
/dev/udp /dev/ip /dev/kmem /dev/kstat /dev/ksyms /dev/mem /dev/null /dev/stderr /dev/stdin /dev/stdout /dev/ticotsord /dev/zero
Set permissions on the devices in dev in the chroot directory.
chmod 666 dev/*
Create and populate lib and usr/lib in the chroot directory.
mkdir usr mkdir usr/lib ln -s /usr/lib ln /usr/lib/* usr/lib |
You can ignore the messages this command generates.
If the /usr/lib directory is on a different file system, use the following command:
cp -rf /usr/lib/* usr/lib
Create and populate bin and usr/bin in the chroot directory.
mkdir usr/bin ln -s /usr/bin ln /usr/bin/* usr/bin |
You can ignore the messages this command generates.
If the /usr/bin directory is on a different file system, use the following command:
cp -rf /usr/bin/* usr/bin
Create and populate etc in the chroot directory.
mkdir etc
ln /etc/passwd /etc/group /etc/netconfig etc
Test the chroot environment.
chroot chroot bin/ls -l
The output should look like this example:
total 14 lrwxrwxrwx 1 root other 8 Jan 13 03:32 bin -\> /usr/bin drwxr-xr-x 2 user group 512 Jan 13 03:42 cgi-bin drwxr-xr-x 2 root other 512 Jan 13 03:28 dev drwxr-xr-x 2 user group 512 Jan 13 03:26 docs drwxr-xr-x 2 root other 512 Jan 13 03:33 etc lrwxrwxrwx 1 root other 8 Jan 13 03:30 lib -\> /usr/lib drwxr-xr-x 4 root other 512 Jan 13 03:32 usr |
Set the virtual server’s chroot directory in one of the following ways.
Modify the obj.conf file.
Use the chroot parameter of the send-cgi Service SAF in the obj.conf file. For detailed instructions, see the Sun Java System Web Server 7.0 Update 4 Administrator’s Configuration File Reference.
Use the Admin Console.
Select the Common Tasks tab.
Select CGI Directories from the Virtual Server Tasks list.
The CGI Settings window is displayed.
Enter the Chroot directory.
For detailed instructions, see the Sun Java System Web Server 7.0 Update 4 Administrator’s Guide.
Use the set-cgi-prop command.
Example: ./wadm set-cgi-prop --user=admin --password-file=admin.pwd --host=serverhost --port=8989 --config=config1 chroot=vs_dir
For information on the set-cgi-prop command, see the Sun Java System Web Server 7.0 Update 4 Administrator’s Configuration File Reference.