Re: enabling suexec with debian apache [solved]
On Mon, 21 Feb 2000, Adam Shand wrote:
>
> > It is the way it is supposed to be.
>
> is there a something in the docs i missed explaining that this is what needs
> to be done? it took me a very frustrating hour to figure this out. if not
> it should be submitted as a documentation bug, right?
>
> > With suEXEC enabled, cgi-s run setuid-ed, which is always a risky thing,
> > so it should be done on the administrator's explicit statement, hence
> > the need for enabling suEXEC manually.
>
> well, they run suid'd to the user which is a whole lot less risky then
> having them run as the user that the web server runs as. i agree that
> having another suid root binary is always a bad thing but suexec is kinda
> pointless with out it, and it's a major security boon.
>
> adam.
>
>
If there is an exploitable cgi, then there is web access to all of the
owning user's files. If it is not run via the suEXEC mechanism, then the
permissions are that of www-data, which are close to nothing.
If suEXEC is enabled, then a lot more requirements need to be met for
running a cgi. This usually leads to a lot of users complaining about this
and that is not working and why, when it runs on another similar machine?
Robert Varga
Reply to: