httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <>
Subject Re: public_cgi-bin scripts
Date Mon, 17 Apr 1995 16:28:47 GMT
> "nopriv" has fewer privileges than "htbin". I think it's also restricted
> to the user's cgi directory, so it can't go off broadcasting the contents
> of anything outside of this directory.

this is why I suggested the CGI on but CMD off switch for includes.
At the moment the security at Cardiff relies on
none of the untrusted users getting wise enough to write 
security flawed scripts as includes. 

XBITHACK is switched on everywhere at Cardiff.. I doubt if the
sys admin realises the hole is there. 

We've grown to rely on XBITHACK, and do need to execute included
scripts at times. The problem is that we're now back to an all or
nothing setup  :-(  


View raw message