httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@gonzo.ben.algroup.co.uk>
Subject Re: Authentication
Date Wed, 05 Jun 1996 16:54:56 GMT
Robert S. Thau wrote:
> 
>   if running with setuid scripts, then _all_
>   scripts must setuid, and none to the web user.
> 
>   Does this work?
> 
> It eliminates one possible source of trouble.  There are others ---
> the one I'm most conscious of is the risk of getting a maintenance
> shell script or cron job to execute trojan horse code.  It's generally
> considered good practice to run these sorts of things with a uid other
> than root to minimize the risk from such attacks --- but if the 'www'
> uid itself is, in your phrase, "as sacred and dangerous as root", you
> lose that option with regard to server maintenance.

OK. You have a "webgroup" with two members, "webuser" and "webmaint". How does
that sound?

Cheers,

Ben.

> 
> rst

-- 
Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email: ben@algroup.co.uk
A.L. Digital Ltd,           URL: http://www.algroup.co.uk
London, England.

Mime
View raw message