Re: setuid root CGI's - how bad it is?
Eloy A. Paris wrote:
>
> Hi,
>
> (sorry for the off-topic question but I don't know where to ask)
>
> Excuse my ignorance but how bad is it to have a setuid CGI script?
If you insist on a script, a perl script written by a knowledgeable and
paranoid programmer could be safe. A C program written by a bozo would
be less safe. There are probably programmers who could create a not too
dangerous cgi in sh, though not safe, at least in standard linux. In
short if the creator of the script is knowledgeable about the attacks
that might occur, the resultant cgi will be safe, but if the cgi creator
doesn't have a clue, the cgi will not be safe no matter what it's
written in.
> I know there should be big security issues with this but I don't
> know what it is.
>
> I have a CGI script that needs to write files in a user's home directory.
> How can I do that?
>
> Thanks and my apologies for being off-topic again.
>
> E.-
>
> --
>
> Eloy A. Paris
> Information Technology Department
> Rockwell Automation de Venezuela
> Telephone: +58-2-9432311 Fax: +58-2-9431645
>
> --
> TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
> debian-user-request@lists.debian.org . Trouble?
> e-mail to templin@bucknell.edu .
--
-----------------------------------------
Ralph Winslow rjw@nac.net
The IQ of the group is that of the member
whose IQ is lowest divided by the number
of members.
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . Trouble?
e-mail to templin@bucknell.edu .
Reply to: