httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <>
Subject Re: suexec concerns
Date Sat, 04 Jan 1997 17:06:19 GMT
Randy Terbush wrote:
> > >I personally think it would be a Good Idea if suExec could be made
> > >as cgiwrap-like as possible, maybe by a compile-time selection. This
> > >includes forcing ~/public_html/cgi-bin restrictions and the like.
> > >I know Nathan is following this group and think a "merger" of
> > >suexec and cgiwrap for Apache would be good (of course, a
> > >standalone cgiwrap would still be needed for the unenlightened).
> > >
> > >cgiwrap is really designed around user's cgi-scripts, whereas I
> > >think that the focus for suexec has not been... At least, I don't
> > >think that it's been used in a cgiwrap-like way, since it assumes
> > >a "central location" for scripts.
> > >
> > >Nathan, comments?
> > 
> > Hmm... Well, what I'd almost like to see is some way of making cgiwrap
> > itself usable as the wrapper portion.
> > 
> > The big thing that suexec does that cgiwrap wasn't really designed for is
> > cgi-scripts directly in user dirs (i.e. using the .cgi extension and an
> > addtype). Whenever the directory that is being used for the cgi scripts
> > themselves is isolated, cgiwrap can be used without much trouble.
> This is the problem that I ran into in the past when trying to come
> up with a setuid() solution for CGI in my environment. We don't care
> where the .CGI is installed, and we don't allow it for ~user.
> While I welcome Nathan's feedback regarding suexec, it is my feeling
> that the Apache group's mission WRT suexec is to provide a simple,
> fast and secure wrapper to handle the functionality given by Apache
> without getting into a battle with CERT. If other projects like
> Nathan's choose to provide their own drop-in replacements, *great*.
> I would rather not become burdened with providing the
> "all singing/all dancing" version of the wrapper program.

I don't think that either, but cgiwrap has been out for awhile and
been used by a number of people. I think Nathan's input on suexec
would be very valuable. However, I wonder if the Apache group
itself should worry about the wrapper, but should instead
come up with an API to be used by said wrapper. It's great that
we include suexec, but I don't think, personally, that it should
be a "mission" for the group, anymore that the regex implementation
is... after all, it _is_ in the support directory.

Right now, in a lot of ways, cgiwrap _is_ a drop-in replacement
for suexec... I think each costs 2 execs before the final
script is run. However, if we start some communication API between
suexec and Apache, we should make sure that other replacements,
like cgiwrap, can use it.

      Jim Jagielski            |       jaguNET Access Services           |
                  "Not the Craw... the CRAW!"

View raw message