Re: setuid root CGI's - how bad it is?
On Thu, Sep 18, 1997 at 04:57:02AM +0000, Eloy A. Paris wrote:
: Excuse my ignorance but how bad is it to have a setuid CGI script?
: I know there should be big security issues with this but I don't
: know what it is.
Are you 100% sure that your CGI has no bugs, no potential buffer overruns,
doesn't trust input gathered from the User Agent, blah blah blah?
If not, and you shouldn't be 100% sure, don't run CGI's suid to root.
: I have a CGI script that needs to write files in a user's home directory.
: How can I do that?
If that's all you want, it's easy. Do this:
1) Authenticate the user against the system's /etc/passwd.
2) Use Apache's suEXEC module to run the CGI under the user's UID,
after authenticating the user.
--
Jason Costomiris <>< | "VMS is about as secure as a poodle
jcostom@sjis.com | encased in a block of lucite....
http://www.jasons.org/~jcostom/ | .... about as useful, too."
#include <disclaimer.h> | --some guy I read on Usenet
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . Trouble?
e-mail to templin@bucknell.edu .
Reply to: