httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: Opinions on CGI wrappers?
Date Tue, 28 May 1996 16:06:37 GMT
> Ben Laurie wrote:
> > 
> > Anyone got any views on the best/right/etc CGI wrapper to use?
> 
> I like, use and support cgiwrap (I can provide links if desired)
> > 
> > Do any of them use chroot() [he says, being extra paranoid]?
> 
> cgiwrap doesn't... Just various checks and user/group ID shuffling
> 

There has recently been some changes posted for mod_cgi that calls
a wrapper binary to do this. You can find a link to it at the
module registry.

As you know, I've taken the other extreme and am running the 
setuid stuff. I'm happy to offer a patch to anyone interested
in this approach. It would be very nice to get some more eyes
on this code to sort out possible problems.

The one thing that I am able to do with my patches is to assign
a UID on a per/virtual_host basis. One thing that I am going to
need to add in the near future is a per/directory config as well.
As I asked a week or so ago if anyone had run the MS FrontPage CGI,
in order to do this safely, I am going to need to be able to set
the EUID to the users home directory in order to prevent other users
from overwriting anyone elses pages.

This is an area that I am very interested in. While it does open
some frightening possibilities, I think it is entirely possible
to create a safe environment while still running this config.
In my web configuration, the trade-off is worth it for the added
security I gain over casual hackers.




Mime
View raw message