Re: enabling suexec with debian apache [solved]
On Mon, 21 Feb 2000, Joe Block wrote:
> Robert Varga wrote:
> > If there is an exploitable cgi, then there is web access to all of the
> > owning user's files. If it is not run via the suEXEC mechanism, then the
> > permissions are that of www-data, which are close to nothing.
>
> Without using suexec or cgiwrap, how do you keep each user's cgis from
> mucking about with the other user's cgi datafiles? And I certainly
> don't want one of my student users' cgis able to mess with my log files,
> which are also owned by www-data
That IS a case when it is needed, and must be set by the admin to use
suexec.
>
> > If suEXEC is enabled, then a lot more requirements need to be met for
> > running a cgi. This usually leads to a lot of users complaining about this
> > and that is not working and why, when it runs on another similar machine?
>
> This is a good thing, IMO. Once students realize that it's their files
> and quota that are going to be eaten up by runaway cgis, in my
> experience they start paying more attention to what they're writing.
>
It is not only what they write, but what they set the permissions to, as
well. I know, this is also what they should learn. But with
exploitable setuid cgi-s, and one can never be sure that his code is
unexploitable, not only his cgi datafiles, but all files can be accessed
and modified as well.
Robert Varga
Reply to: