Before you can create a custom execution environment, you must install the suid Cgistub and run it as root:
Log in as the superuser.
su
Create the private directory for Cgistub:
cd server_root/https-instance
mkdir private
Copy Cgistub to the private directory:
cd private
cp ../../bin/https/bin/Cgistub .
Set the owner of private to the server user:
chown user .
Set the permissions on private:
chmod 500 .
Set the owner of Cgistub to root:
chown root Cgistub
Set the permissions on Cgistub:
chmod 4711 Cgistub
You can give each reference to the send-cgi SAF in obj.conf a user parameter. For example:
Service fn="send-cgi" user="user"
You can use variable substitution. For example, in server.xml add a VARS subelement to VS (virtual server) element.
<VARS user="user"/>
This lets you write the send-cgi SAF line in obj.conf as follows:
Service fn="send-cgi" user="$user"
For more information about send-cgi in the obj.conf file and server.xml, see the Sun Java System Web Server 6.1 SP11 Administrator’s Configuration File Reference.
Restart the server to update the changes into effect.
Installing Cgistub in the server_root/https-instance/private directory is recommended. If you install it anywhere else, you must specify the path to Cgistub in the init-cgi function in magnus.conf. For details, see the Sun Java System Web Server 6.1 SP11 NSAPI Programmer’s Guide.
It is not possible to install the suid Cgistub program on an NFS mount, you install your server instance to a local file system.
Cgistub enforces the following security restrictions:
The user the CGI program executes as must have a uid of 100 or greater. This prevents anyone from using Cgistub to obtain root access.
The CGI program must be owned by the user it is executed as and must not be writable by anyone other than its owner. This makes it difficult for anyone to remotely execute programs.
Cgistub creates its UNIX listen socket with 0700 permissions.
Socket permissions are not respected on a number of UNIX variants, including current versions of SunOS/Solaris. To prevent a malicious user from exploiting Cgistub, change the server’s temporary directory (using the magnus.conf TempDir directive) to a directory accessible only to the server user.
After you have installed Cgistub you can create custom execution environments by doing the following, as described in this section:
To prevent CGI programs of the virtual server from interfering with other users, these programs should be stored in a unique directory and executed with the permissions of a unique UNIX user and group.
First, create the UNIX user and group. The exact steps required to create a user and group vary by operating system. For instructions, consult your operating system's documentation.
Log in as the superuser.
su
Change to the virtual server directory.
cd vs_dir
Create the cgi-bin directory.
mkdir cgi-bin
chown user:group cgi-bin
chmod 755 cgi-bin
Now you can set the virtual server’s CGI directory, user, and group in one of these ways:
Use the dir, user, and group parameters of the send-cgi Service SAF in the obj.conf file, see the Sun Java System Web Server 6.1 SP11 Administrator’s Configuration File Reference.
Enter this information using the Settings page in the Preferences tab of the Virtual Server Manager, see the Sun Java System Web Server 6.1 SP11 Administrator’s Guide.
To further improve security, these CGI scripts should be prevented from accessing data outside the virtual server directory.
First, set up the chroot environment. The exact steps required to set up the chroot environment vary by operating system. For instructions, consult your operating system’s documentation. The man pages for ftpd and chroot are good place to start.
These are the steps required for Solaris versions 2.6 through 8
Log in as the superuser.
su
Change to the chroot directory. This is typically the vs_dir directory mentioned in the previous section.
cd chroot
Create tmp in the chroot directory:
mkdir tmp
chmod 1777 tmp
Create dev in the chroot directory:
mkdir dev
chmod 755 dev
List /dev/tcp, and note the major and minor numbers of the resulting output. In this example, the major number is 11 and the minor number is 42:
ls -lL /dev/tcp
crw-rw-rw- 1 root sys 11, 42 Apr 9 1998 /dev/tcp
Create the tcp device using the major and minor numbers:
mknod dev/tcp c 11 42
chmod 666 dev/tcp
Repeat steps 5 and 6 for each of the following devices each device will have a different major and minor combination:
/dev/udp /dev/ip /dev/kmem /dev/kstat /dev/ksyms /dev/mem /dev/null /dev/stderr /dev/stdin /dev/stdout /dev/ticotsord /dev/zero
Set permissions on the devices in dev in the chroot directory:
chmod 666 dev/*
Create and populate lib and usr/lib in the chroot directory:
mkdir usr
mkdir usr/lib
ln -s /usr/lib
ln /usr/lib/* usr/lib
You can ignore the messages this command generates.
If the /usr/lib directory is on a different file system, replace the last command with the following:
cp -rf /usr/lib/* usr/lib
Create and populate bin and usr/bin in the chroot directory:
mkdir usr/bin
ln -s /usr/bin
ln /usr/bin/* usr/bin
You can ignore the messages this command generates.
If the /usr/bin directory is on a different file system, replace the last command with the following:
cp -rf /usr/bin/* usr/bin
Create and populate etc in the chroot directory:
mkdir etc
ln /etc/passwd /etc/group /etc/netconfig etc
Test the chroot environment:
chroot chroot bin/ls -l
The output should look something like this:
lrwxrwxrwx 1 root other 8 Jan 13 03:32 bin -> /usr/bin drwxr-xr-x 2 user group 512 Jan 13 03:42 cgi-bin drwxr-xr-x 2 root other 512 Jan 13 03:28 dev drwxr-xr-x 2 user group 512 Jan 13 03:26 docs drwxr-xr-x 2 root other 512 Jan 13 03:33 etc lrwxrwxrwx 1 root other 8 Jan 13 03:30 lib -> /usr/lib drwxr-xr-x 4 root other 512 Jan 13 03:32 usr
Now you can set the chroot directory of the virtual server in one of these ways:
Use the chroot parameter of the send-cgi Service SAF in the obj.conf file, see the Sun Java System Web Server 6.1 SP11 Administrator’s Configuration File Reference.
Enter this information using the Settings page in the Preferences tab of the Virtual Server Manager, see the Sun Java System Web Server 6.1 SP11 Administrator’s Guide.