The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

Arbitrary Code Execution

I was previous tasked with creation of a remote build server.  My solution consisted of a website where people upload essentially a zipfile of their code and it builds it for them and returns it in the form of a link to the file.  Unfortunately one of the requirements of the project consists of allowing people to include a custom batch file which is executed blindly on the server-side (server runs on Windows XP Pro).  You can probably already see where this is going.. a truly determined party could go so far as to write a custom executable and then execute it through the batch script and completely compromise the entire server.  Now the only people who have access to this are indeed company employees and the server itself is only available on the intranet.  But this still doesn't ease my worry about the possibilities of what *could* happen.

My question I guess is two-fold: 

a) Should I really be worried and/or care so much?  It's not my system, it's not my network, I just work here. 

b) Is there anything I can do to get around this without my server losing the ability to execute batch files? (Really doubt it).

Thanks.
Somebody Send private email
Tuesday, March 01, 2005
 
 
You could run the server in an emulation layer such as VMWare and then provide a different server to each process.

I wouldn't worry too much. Explain to people that the build server is a common resource, and then later if it is trashed, explain to everyone why the resource has gone away for a while.

~Matt
Matt Doar Send private email
Tuesday, March 01, 2005
 
 
Log everything.

Since the users are employees, you can track them down and beat them over the head with the print out if they mess up your pretty server.
Arsalan Zaidi Send private email
Wednesday, March 02, 2005
 
 
You could set it up so that when they submitted the ZIP file they had to provide their domain logon and password. Then the first thing the build server would do is switch to using their account. Then they wouldn't be able to do anything that they weren't permitted to do anyway. If they were in a user account and didn't have administrative privileges on the machine they couldn't do terribly much harm.
Joel Spolsky Send private email
Wednesday, March 02, 2005
 
 
Matt: Hopefully they all realize this without saying. 

Arsalan:  Thank you, yes I'm already doing this and plan on it :).

Joel: Unfortunately our network is not setup in this manner, there are no domain accounts for logging into PC's each user is administrator of their own system.

---

I should have also probably mentioned people from outside of the studio will be using the server as well (we are a multi-site (international) company) so I can't just go and slap them when they break it.  Nor will I probably even know know who they are or have an opportunity to meet them :).
Somebody Send private email
Wednesday, March 02, 2005
 
 
IIS allows you to specify what account 'anonymous' access uses.  By default it's something like IUSR_servername.  By default it is not an admin on the box.  I think it only has Guest privleges by default.  You can either control what the existing account has permissions on or create another account and plop it in.
Grant
Wednesday, March 02, 2005
 
 
I'm using apache, but chances are the same rules should apply.  That's a good point and something I will check out.  Thanks.
Somebody Send private email
Wednesday, March 02, 2005
 
 
VMware. Install one perfect image and then clone it for every execution? Fresh perfect and predictable install on every iteration in a completely closed sandbox.
Alexandre Carmel-Veilleux Send private email
Thursday, March 03, 2005
 
 
Joel's solution is not limited to Domain loggins.
You can have your service running and accepting the potentialy nasty stuff, and then when you run it switch to a local account with the limited privledges.  No Domain necessary.

See CreateProcessAsUser() and LogonUser()

My question to you is, what are you trying to protect against?  A User
* opening up access to the machine
* trashing the machine
* gaining access to things they shouldn't
* something else...
E Normouse
Tuesday, March 08, 2005
 
 
One possible solution is to have users check their code into whatever source control repository you're using, including the executable batch file.  Then have the build machine check out the source tree and build those projects that have changes.  As a matter of fact there's already software to do this (provided you use Ant or Maven) at http://sourceforge.cruisecontrol.net

As the repository is on a separate machine from your build system, this makes it considerably harder for any neer-do-wells to cover their tracks after trashing the build system.
Tim Clemons Send private email
Thursday, March 10, 2005
 
 
Bleah...that URL should be http://cruisecontrol.sourceforge.net/
Tim Clemons Send private email
Thursday, March 10, 2005
 
 
Joel: "Then they wouldn't be able to do anything that they weren't permitted to do anyway. If they were in a user account and didn't have administrative privileges on the machine they couldn't do terribly much harm."

Couldn't do much harm? Do you mean something such as "privilege escalation"? http://secunia.com/search/?adv_search=1&s=1&search=windows&w=0&vuln_title=1&vuln_software_os=1&vuln_bodytext=1&vuln_cve=1&critical%5B%5D=0&impact%5B%5D=3&where%5B%5D=0
Jonas
Thursday, March 24, 2005
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz