Re: enabling suexec with debian apache [solved]
Robert Varga wrote:
> > This is a good thing, IMO. Once students realize that it's their files
> > and quota that are going to be eaten up by runaway cgis, in my
> > experience they start paying more attention to what they're writing.
> >
>
> It is not only what they write, but what they set the permissions to, as
> well. I know, this is also what they should learn. But with
> exploitable setuid cgi-s, and one can never be sure that his code is
> unexploitable, not only his cgi datafiles, but all files can be accessed
> and modified as well.
So create a second account, usercgi for the people who need to use cgis
and don't have the time/knowledge to secure them.
I still don't see where having all the users share one uid for their
cgis is better than having them use their own id - at least the damage
is limited to one user rather than all of them.
jpb
--
Joe Block <jpb@creol.ucf.edu>
CREOL System Administrator
Social graces are the packet headers of everyday life.
Reply to: