Re: [9fans] CGI

Re: [9fans] CGI

[presotto]

[-- Attachment #1: Type: text/plain, Size: 1573 bytes --]

In general, I agree with russ.  The best way to do it
would be to not have to run as alice or to run the
httpd as alice.  The latter requires changing it to
avoid the 'becomenone' routine and have alice start
it herself.  You could run arbitrarily many httpd's
just by using the -a option and specifying a different
port to listen for each, e.g. -a tcp!*!8000.

------

As rsc pointed out, you can take a hint from our
mail system.  Smtpd runs as none but can deliver
mail into anyones mail file.  The files are
protected alrw--w--w-, i.e., append only, exclusive
access and writeable by anyone.  I have a lock file in addition
to the mbox.  The lock file, is protected alrw-rw-rw-.
When I want to do anything to the mail box, I:

	/* try to set the lock */
	for(tries=0; tries < Maxtries && (lock=open(L.mbox))<0; tries++)
		sleep(some time);
	if(lock < 0)
		fatal("getting lock");

	/* affect/read mail box */
	...

	/* unlock */
	close(lock);

I still leave the 'l' bit on the mailbox to catch
any stupid accidents.

You could do something similar, except you'ld probably
want to make your alice file alrw-rw-rw-.

That's what I did with mail anyways...

------

You could also go nuts and run a server
as alice and have one of the httpd magic
files pass requests to it.  I think this
is overkill but doable.  Rsc's idea of
a alicefs is just a special case of this.
The problem here though is getting the
server's running as alice every reboot.
You'ld probably need cron to start if
for you if it wasn't already started.

[-- Attachment #2: Type: message/rfc822, Size: 2326 bytes --]

From: arisawa@ar.aichi-u.ac.jp
To: 9fans@nx.aichi-u.ac.jp
Subject: [9fans] CGI
Date: Wed, 13 Feb 2002 09:05:34 +0900
Message-ID: <20020213010925.C8B4919A00@mail.cse.psu.edu>

Hello 9fans,

Now I am considering about CGI environment of Web server.

Let A be a CGI program that is owned by user alice,
and assume the program needs to read from file B
that must be protected to the accesses from other users.
That is, the permission mode is required to be,
-r--r----- 16 alice alice  .... B

Then how can we design Web server on Plan9?

In case of UNIX, this problem may be solved using SETUID, or
more safely solved using CGI wrapper.

Plan9 does not have such an easy way for `none' to become `alice'.
Authentication must be required.

Public key cryptography may be applied.
Let the Web server start with server mode, then httpd can read  
secret
key that is in a file owned by bootes with 400 permission.
User alice encrypts her password using public key and puts it  
somewhere.
In executing A, httpd decrypt her key and then become `alice'.

I am afraid this scheem gives too much right to httpd.
We need only a given CGI can read a given file.

Do you have oher solutions?

Kenji Arisawa
E-mail: arisawa@aichi-u.ac.jp

[9fans] CGI

[arisawa]

Hello russ and presotto,

Thank you for your advices.

Web server that is running on Plan9 can configure namespace
and therefore can hide other user's documents and CGIs.
You can find such a server at my ftp (ftp://ar.plan9.aichi-u.ac.jp).
So, I decided to run the server as user `web'.
User `web' is not a real user, that is, the user need not to have
his file.
If alice have a file that she want to be accessed only by her and
by her CGI, sh can set:
-lrw-rw---- alice web ...
This file is hided from other users CGI, so no one can access it
via malicious CGI.

Kenji Arisawa
E-mail: arisawa@aichi-u.ac.jp

Re: [9fans] CGI

[Russ Cox]

In increasing order of complexity, I see four choices:

1. Make the file world writable (chmod 666).
Then anyone on your server can edit the file;
maybe you don't like that.

2. Make the file world writable but append-only,
restructuring your program so that it's okay that
the file is only appended to.  Then anyone on the
server can append to the file, but you can't lose
a previous state of the file.

3. Run the web server as alice through whatever
mechanism you like.  Then if a script kiddie hacks
it, he can pretend to be alice.

4. Write a file server to moderate access to B
so that the web server programs don't have to
be privileged and you can restrict the set of 
allowed operations as much as you want.

As an example, if I were particularly concerned,
I could run the wikifs as a special "wiki" user
and then the web server programs could still
interact with wikifs through the file system as none.
In fact, I'm not concerned, so I run the wikifs 
as none, and all the wiki data is chmod 666.

Russ

Re: [9fans] CGI

[Russ Cox]

Why not make the relevant bits of the file
world readable?

[9fans] CGI

[arisawa]

Hello Russ,

Thank you for your quick response.

>Why not make the relevant bits of the file
>world readable?
My explanation was somewhat sketcy.

Please change:
>and assume the program needs to read from file B
to
and assume the program needs to write file B
and
>-r--r----- 16 alice alice  .... B
to
-rw-rw---- 16 alice alice  .... B

I am interested in reading/updating a file in Web application.

Kenji Arisawa
E-mail: arisawa@aichi-u.ac.jp

[9fans] CGI

[arisawa]

Hello 9fans,

Now I am considering about CGI environment of Web server.

Let A be a CGI program that is owned by user alice,
and assume the program needs to read from file B
that must be protected to the accesses from other users.
That is, the permission mode is required to be,
-r--r----- 16 alice alice  .... B

Then how can we design Web server on Plan9?

In case of UNIX, this problem may be solved using SETUID, or
more safely solved using CGI wrapper.

Plan9 does not have such an easy way for `none' to become `alice'.
Authentication must be required.

Public key cryptography may be applied.
Let the Web server start with server mode, then httpd can read  
secret
key that is in a file owned by bootes with 400 permission.
User alice encrypts her password using public key and puts it  
somewhere.
In executing A, httpd decrypt her key and then become `alice'.

I am afraid this scheem gives too much right to httpd.
We need only a given CGI can read a given file.

Do you have oher solutions?

Kenji Arisawa
E-mail: arisawa@aichi-u.ac.jp