Re: cannot run pgps in a cgi script under apache
Ethan Benson [erbenson@alaska.net] wrote:
> On 17/12/99 Shao Zhang wrote:
>
> > I have no other choice. I need it to read the shadow passwd. It
> > is only accessible within a private network and all traffic is
> > SSL encrypted. So I guess it is pretty secure.
>
> well reading shadow password files from apache is bad anyway (i
> assume for htaccess?) since it allows very fast and mostly
it is not for htaccess. It is mainly used for setting up acounts
which invovles writing as well.
> unstoppable password cracking efforts on your system password files,
> you might as well just unshadow the passwords since any additional
> protection offered by shadow passwords is completely undone by
> letting apache read them.
True. But it is still only readable to root which means apache
as well. Again, apache is sitting in our private network. A
machine with good security should be that, given the root
passwd of that machine, it is still uncrackable.
Again, I know this is a security hole. But in this case, I
really need it, and which is why apache src offers a
configuration option to allow run as root.
Cheers,
Shao.
--
____________________________________________________________________________
Shao Zhang - Running Debian 2.1 ___ _ _____
Department of Communications / __| |_ __ _ ___ |_ / |_ __ _ _ _ __ _
University of New South Wales \__ \ ' \/ _` / _ \ / /| ' \/ _` | ' \/ _` |
Sydney, Australia |___/_||_\__,_\___/ /___|_||_\__,_|_||_\__, |
Email: shao@cia.com.au |___/
_____________________________________________________________________________
Reply to: