Skip to main content.
home | support | download

Back to List Archive

Re: Split swish-e binary?

From: Bill Moseley <moseley(at)not-real.hank.org>
Date: Tue Oct 02 2001 - 15:57:54 GMT
At 06:35 AM 10/02/01 -0700, SRE wrote:
>At 09:54 AM 10/1/01, Bill Moseley wrote:
>>This is on-topic because security issue are always on topic...
>
>It's also not enlightening anyone or changing any minds!

That's what I'm worried about! ;)

Of course, I'm not arguing that removing a bit of code does not make it
less likely that that code will execute.  

I am saying that's not the best place to focus your security efforts.  The
fact that your sysadmin is making a stink about fopen calls makes me worry
that real security issues are overlooked.  And calling a version of swish
without that code "safe" or even "safer" is a disservice to anyone that
might not know better.  Focusing on the fopen calls is a distraction from
real security concerns, and adds marginal security benefit.

If I was looking for security holes in swish itself, I'd be looking at
buffer overruns, not code like:

if ( create_index )
{
   if ( swish-search )
      progerr("Sorry, no can do");
   else
      write_index();
}

Where I can easily see how swish-search is set.  

But it's really hard to review every bit of code in swish.  You are better
off assuming that swish CAN write to files, and be sure that it's run in an
environment where a) there's no way the CGI script can tell swish to do
anything bad, and b) even if it does do something bad the OS will keep if
from doing anything damaging.

>>If I'm misunderstanding some key point, please detail it.  But I just don't
>>see how removing open-for-write calls adds any security.
>
>See my last post. It's harder to overwrite files on the server.
>You zeroed in on root files, he's thinking about other files in
>the web directories.

Why do you have files writable by the webserver?  If you have files that
must be written by CGI applications then there's a bunch of ways to protect
those.  SuExec or CGIWrap for example, or a password protected database.
And backups.  I'd be a lot more concerned about those CGI applications than
swish code like:

if ( swish-search )
   progerr("Sorry, no can do");
else
   write_index();

>>Do you remove the
>>open-for-write calls in your HTTP, DNS, and mail servers that write log
files?
>
>No, because security issues there are much better understood.
>More people have been banging on them for a longer time.

Right.  One of my machines was hacked in June though Bind.  Luckily, I run
it non-root and in a chroot jail.  There was a telnetd root hack in July,
too, IIRC.


>At 12:56 PM 10/1/01, Philip Mak wrote:
>>Even if you think the daemons are
>>secure, you can only be 100% sure that the daemons are not vulnerable if
>>you shut them down---thus, you shut them down if you don't need them.
>
>Well said! Thanks.

Oh, that's helpful.  "Hello, tech support?  The web server is not
responding and customers can't buy anything!!"  

"Yes, we have disabled the web server to improve our web server's security."

Ok, I'll agree: if you turn the computer off then it's more secure.






Bill Moseley
mailto:moseley@hank.org
Received on Tue Oct 2 15:58:23 2001