Rev cgi install + potential problem with cgi tutorial
J. Landman Gay
jacque at hyperactivesw.com
Thu May 6 17:19:23 CDT 2004
On 5/6/04 1:29 PM, jbv wrote:
> Hi folks,
> You probably remember my posts from last week about
> the problems I was facing while trying to install Rev cgi
> on a Linux server.
> I'm happy to say that these problems have been solved,
> and I thought some of you could be interested in knowing
> what was wrong.
I'm glad you got it figured out, and thanks for posting.
> Actually the main reason why Rev cgi wasn't running
> properly (not running at all in fact) was because the server
> configuration had been carefully set to prevent any executable
> to launch from the cgi-bin folder.
I see. I haven't run into that in any of the ISPs I've used, but it is
good to note. I'll update the tutorial to mention this.
> The local Linux expert who halped me on this issue told me
> that a few rules should be followed, for instance :
> - it looks like a BAD IDEA to install the cgi engine and the scripts
> in the same folder (it might open a serious SECURITY HOLE in
> Apache), and any well-configured server doesn't allow that;
This usually comes from admins who don't understand the Rev engine. Did
he mention what security holes might occur? I have been told that the
Rev engine is fairly unique in that there isn't any way to hack into it,
so there aren't any security holes regardless of what folder it is
installed into. I understand that this is "famous last words," but I
have been unable, for example, to run a script from a local source that
accesses the engine on my server. I won't say there is no way to abuse
it, but Scott Raney (the author of the engine) didn't think there was.
That being said, you can of course write a script that is insecure
itself. There is a risk if your scripts indescriminately execute any
parameters that are sent (which the tutorial mentions.) Avoid using "do"
to execute parameters without testing them first to make sure they are
valid and/or safe. If a script is executing any params it receives
without checking them first, then it doesn't really matter where the
engine is installed, since the problem is with the script itself.
> - it is a good idea to set privileges of the scripts files (and of the
> directories in which they are installed) so that only the cgi
> engine (that is supposed to run them) can run them;
If the scripts are in the cgi folder, then permissions should already be
correct. However, I'd still like to update the tutorial to cover this --
what permissions did you set on the scripts, and where were they installed?
> - if your cgi scripts are supposed to create / delete folders & files,
> it is a good idea to allow these operations in a special directory,
> and to set privileges so that only your engine and your scripts
> could do it.
This is covered in the tutorial, though maybe not as clearly as it
should be. The tutorial mentions that typically you can't create files
within the cgi folder, and that another folder should be used for that
purpose. It suggests a sub-directory with different permissions, or a
folder outside the cgi folder somewhere.
> We actually spent a couple of hours setting and testing everything,
> and now everything runs fine.
> I don't think I'm overreacting on this topic (although I don't want
> to scare anyone) but I have the strong feeling that if you want to
> use Rev cgi for some serious / professional project (and not only
> some home experiments), you should be wise to take all these security
> issues into consideration, and ask for advice from a Linux specialist.
I understand your concerns, and they are entirely valid. The difference
is that the Rev engine is internally secure and won't allow much abuse.
I am having trouble thinking of a way that anyone could remotely hack
into it (though I'd very much like to know if anyone does find one.) So
while your Linux advisor was right to be concerned, much of what he told
you doesn't apply to Revolution cgis. However, the point that your cgi
folder did not allow executables to be installed inside should be
addressed by the tutorial (I never thought of that, since the three ISPs
I've used all allowed it.) The simple solution is to just install the
engine wherever the ISP requires, make sure the paths to the engine are
correct in the scripts, and leave the scripts in the cgi folder.
The problem with this, though, is that so many ISPs have never heard of
Rev that many of them are unwilling to install it. So if your ISP does
allow executables in the cgi folder, it is much simpler to just put it
there yourself. The alternative often involves a very long explanation
to the ISP about what Rev is, why it is safe, how it can't be abused, etc.
> For that reason, I think that the installation part of the cgi tutorial
> should be re-written, and should include more detailed advices about
> the installation procedure.
Agreed, I'll make some changes over the weekend.
Jacqueline Landman Gay | jacque at hyperactivesw.com
HyperActive Software | http://www.hyperactivesw.com
More information about the use-livecode