[Zope] hard-coded pcgi

Kevin Dangoor kid@ans.net
Wed, 3 Feb 1999 09:44:16 -0500


On Tue, Feb 02, 1999 at 09:31:07PM -0600, Jeff Bauer wrote: 
,-----
| Kevin Dangoor wrote:
| >  Does anyone out there already have a pcgi-wrapper that is
| > hardcoded to run directly instead of through a script like Zope.cgi?
| > I want to do this so that I can safely run it setuid. If no one
| > has such a beast, I'll muck about in the C code and see if I can
| > patch it. (I haven't done anything in C since '96... the thought
| > of going back is frightening :)
| 
| I'm not sure I understand how this increases security, but if your
| goal is to hardwire all your Zope settings into a binary, it's
| not difficult to do.

Here's my thinking... I'm running in a shared hosting environment. In
order to prevent everyone on the same machine as my server from being
able to write to my var directory, I would like to be able to run pcgi
as setuid. However, the way it works now would allow people to run
arbitrary programs under my user ID. It's not a huge exposure, but it
can be eliminated.

|  Although maintaining it will be a drag.
| If you're going to go down this path, you might as well
| write a Python shell script to automate the process, i.e.
| have it read in Zope.cgi to create a header file that is
| then is compiled to your binary  (Please call it something
| other than pcgi-wrapper.)  This should all be probably
| placed in a Makefile, with Zope.cgi as your dependency.

My thinking was something like this:
Make a #define for hardcoding. If it's there, the parsing code goes away
and the necessary variables are filled in by other #defines in the header.
That way, it is easy to choose which way to do it and easy to set it up.
Yes, maintaining it still requires recompiling the program, but I think
the improved security is worth it.

Unless there's something I've missed, I think this is the most secure way
for one to run Zope in a shared hosting environment...

Kevin

| 
| With queasy regards,
| 
| Jeff Bauer
| Rubicon, Inc.
| 
`-----

-- 
Kevin Dangoor
UUnet Technologies
kid@ans.net / 734-214-7349