httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Re: Authentication
Date Wed, 05 Jun 1996 17:00:45 GMT
  if running with setuid scripts, then _all_
  scripts must setuid, and none to the web user.

  Does this work?

It eliminates one possible source of trouble.  There are others ---
the one I'm most conscious of is the risk of getting a maintenance
shell script or cron job to execute trojan horse code.  It's generally
considered good practice to run these sorts of things with a uid other
than root to minimize the risk from such attacks --- but if the 'www'
uid itself is, in your phrase, "as sacred and dangerous as root", you
lose that option with regard to server maintenance.

rst

Mime
View raw message