Security of FreeBSD CGI and SSI

Allowing a program to run on a server based on user requests is a security vulnerability. Therefore, you can use these features only when necessary.

For SSI, the security issue is relatively simple. You can set it to analyze only common flags without executing external programs, which must use the Options IncludesNOEXEC option in the configuration file rather than the Options Includes option. To meet the general security requirements.

CGI programs are more complex. CGI can be set in two ways, one is to set the CGI program path for ScriptAlias, and the other is to set the CGI suffix. Generally, you can use the suffix to confirm the CGI program only when you trust the user to create CGI programs with no or few vulnerabilities. Otherwise, some bad CGI programs will be generated, making the system vulnerable to attacks. Therefore, it is more common to restrict CGI programs to some fixed directories. This allows at least one CGI program to pass some checks by the server administrator to avoid obvious vulnerabilities.

Another problem with the CGI program is that if the CGI program wants to save the data published by the browser client, it needs to access the system's file system. Generally, the Apache server uses User and Group to configure the User and Group attributes of the server. The CGI program started by the Apache server also uses this User and Group attribute to run by default, in this way, you have the permissions of this user and group to access data in the file system, which has another impact on system security. However, CGI programs must be allowed to access data files. Therefore, the User and Group settings must be adjusted appropriately to allow them to access suitable data files.

Even so, because all CGI programs are executed by the same user, CGI of different users can operate on data files of other users, resulting in security problems. To enable different users to execute CGI with different user identities, you need to use the SetUID function of the program. This is because SetUID brings about great system vulnerabilities. Therefore, do not use the SetUID program unless necessary, especially the SetUID program with the root identity. Apache suEXEC can be used to set user identity. It first changes the identity to a suitable user and then executes the corresponding CGI program.