Re: enabling suexec with debian apache [solved]
> > this doesn't really solve the problem. it means that users cgi's can't
> > screw with the server's stuff but it doesn't stop them from messing with
> > each others stuff.
>
> I was unclear, I meant create a second account for each user who wants
> her cgis sandboxed.
ah, yes. that would be a better solution because then if a cgi is exploited
the users personal files are safe... doubling up accounts for users gets
pretty icky though as you get more and more users (we have about 45000
accounts on our servers and they all get cgi access if they want it). not
to mention the performance hit of having an even more enourmas password file
(linear lookups are not a happy thing on busy systems).
> It's never just bad luck. It's completely reasonable for users to
> expect other users laziness not to screw up their data.
i agree.
> I agree, the 5 minute cost to dl & build cgiwrap is more than made up
> for the first time some student's cgi eats his files and you only have
> to listen to one user whine instead of many.
AMEN! :)
> One important point about cgiwrap - the current debian package puts the
> user cgis in ~user/public_html/cgi-bin instead of ~user/cgi-bin. I've
> filed a bug about it. It's bad security for cgis and their associated
> datafiles to be web-readable. Yes, I know security through obscurity
> isn't really security, but we should at least make the black hats work a
> little to get at the cgi source.
yeah i'd wondered about this as well. it's not just the debian distribution
though it seems to be the default cgiwrap install (i might be talking out my
ass here as i haven't really delved deep into this but that's what my memory
tells me).
adam.
Reply to: