[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: enabling suexec with debian apache [solved]

Robert Varga wrote:

> > This is a good thing, IMO.  Once students realize that it's their files
> > and quota that are going to be eaten up by runaway cgis, in my
> > experience they start paying more attention to what they're writing.
> >
> It is not only what they write, but what they set the permissions to, as
> well. I know, this is also what they should learn. But with
> exploitable setuid cgi-s, and one can never be sure that his code is
> unexploitable, not only his cgi datafiles, but all files can be accessed
> and modified as well.

So create a second account, usercgi for the people who need to use cgis
and don't have the time/knowledge to secure them.

I still don't see where having all the users share one uid for their
cgis is better than having them use their own id - at least the damage
is limited to one user rather than all of them.

Joe Block <jpb@creol.ucf.edu>
CREOL System Administrator

Social graces are the packet headers of everyday life.

Reply to: