httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <>
Subject Re: Authentication
Date Wed, 05 Jun 1996 16:54:56 GMT
Robert S. Thau wrote:
>   if running with setuid scripts, then _all_
>   scripts must setuid, and none to the web user.
>   Does this work?
> It eliminates one possible source of trouble.  There are others ---
> the one I'm most conscious of is the risk of getting a maintenance
> shell script or cron job to execute trojan horse code.  It's generally
> considered good practice to run these sorts of things with a uid other
> than root to minimize the risk from such attacks --- but if the 'www'
> uid itself is, in your phrase, "as sacred and dangerous as root", you
> lose that option with regard to server maintenance.

OK. You have a "webgroup" with two members, "webuser" and "webmaint". How does
that sound?



> rst

Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email:
A.L. Digital Ltd,           URL:
London, England.

View raw message