Return-Path: owner-new-httpd
Received: by taz.hyperreal.com (8.6.10/8.6.5) id PAA03988;
 Mon, 17 Apr 1995 15:12:07 -0700
Received: from ns.elsevier.nl by taz.hyperreal.com (8.6.10/8.6.5) with ESMTP
 id PAA03982; Mon, 17 Apr 1995 15:12:04 -0700
Received: from www.elsevier.co.uk by ns.elsevier.nl with SMTP (PP);
          Tue, 18 Apr 1995 00:11:43 +0200
Received: by www.elsevier.co.uk (4.1/SMI-4.1)	id AA01081;
          Mon, 17 Apr 95 23:08:37 BST
Date: Mon, 17 Apr 95 23:08:37 BST
From: Andrew Wilson <andrew@www.elsevier.co.uk>
Message-Id: <9504172208.AA01081@www.elsevier.co.uk>
To: new-httpd@hyperreal.com
Subject: Re:  public_cgi-bin scripts
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org


> There are sites which use a setuid-root "wrapper" program so that a user's
> CGI scripts may run with the user's *own* full privileges --- but that's
> also a somewhat dangerous practice.

Ah perhaps that's what COMMA are doing.  Everyone's in bed right now so
I'll have to wait till tomorrow to get Robert Evans' answer.  Unless Rob H
can remember?

> rst
> 

Incidentally is this danderous in the sense of Joe.User writing a
script to fork a million processes and hang the server?  Or writing some
script which fills up the filesystem.

   [in which case you shouldn't even give your users access to 'cc' ;)]

Or is there a more general security issue, like being able to read .passwd
files or whatever due to misplaced permissions.

Ay.