httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason A. Dour" <>
Subject CGI security (fwd)
Date Wed, 23 Oct 1996 17:59:47 GMT

Hello, Graham,

	Your note on CGI security was forwarded to the developer's list.
I just wanted to take a few moments to respond to your letter.

> Having all CGI scripts run as the same username is a major problem, and
> one which is stopping me moving from the old CERN server to APACHE. With
> CERN 3.0 I can, with some fiddling about,set things up so that each
> users scripts run under that users userid and group, and so can't nobble
> system files or files belonging to other users. On a server which is
> shared by potentially thousands of staff and students, I can't get away
> with not allowing them to expeiment with CGI scripts, and I certainly
> don't trust any of them.
> Ideally, I'd like to be able to nominate a user CGI subdirectory, just
> like I can nominate a user "page" directory with the UserDir command.
> Something like "UserExec dirname" which would allow users to put their
> CGI scripts in the specified subdirectory of their home directory and
> would then run them as a process belonging to that username.

	Luckily, 1.2 should have some -- if not all -- of that for which
you are looking...  The 1.2b1 release (sometime in the near future I
understand) will include a 2/3 complete implementation of suEXEC.

	suEXEC has been a pet project for a few Apache developers.
Recently, I and Randy Terbush pounded out the early workings of suEXEC
based upon some work I did for the University of Louisville's WWW server.
I believe their situation is much the same as yours: faculty, staff, and
students all clamoring for CGI while the sysadmins cringe at the thought.

	The implementation of suEXEC in 1.2b1 will allow you two levels of
suEXEC behaviour.  One, it will automagically handle any CGI or EXEC
request from any ~userdir, and execute it as that user.  Two, it will
allow you to specify an exec User/Group for CGI and EXEC requests for each
VirtualHost.  Later implementations of suEXEC might also include: better
logging at server and user levels; User/Group definable for Directory,
Location, and Files directives; etc.

	I'd recommend giving 1.2b1 a try...I think you'll be pleased,
particularly if you are mainly interested in ~userdir CGI.

	Thanks for the letter.  I hope 1.2 works out for you!

+ Jason A. Dour                            +
| Programmer Analyst II      |
| Dept. of Radiation Oncology         Finger for Geek Code, PGP Public Key,|
+ University of Louisville            PJ Harvey info, and other stuff...   +

Version: 2.6.2


View raw message