Re: setuid root CGI's - how bad it is?
Hi,
At 08:11 AM 9/18/97 -0400, Jason Costomiris wrote:
>Are you 100% sure that your CGI has no bugs, no potential buffer overruns,
>doesn't trust input gathered from the User Agent, blah blah blah?
>
>If not, and you shouldn't be 100% sure, don't run CGI's suid to root.
No, I am not sure and I know I shouldn't be running my script suid to root.
>If that's all you want, it's easy. Do this:
>
>1) Authenticate the user against the system's /etc/passwd.
OK, my script is doing this. The user can enter his login ID and his
password through a HTML form and the CGI script validates the user against
/etc/passwd making sure the UID of the users is >= 1000.
>2) Use Apache's suEXEC module to run the CGI under the user's UID,
> after authenticating the user.
This sounds like the solution but where can I find this module? It is not
part of the apache-modules package.
Thanks,
E.-
--
Eloy A. Paris
Information Technology Department
Rockwell Automation de Venezuela
Telephone: +58-2-9432311 Fax: +58-2-9431645 Cel.: +58-16-234700
"Where does this path lead?" said Alice
"Depends on where you want to go." Said the cat
("Alice in Wonderland", by Lewis Carroll.)
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: