httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <>
Subject Re: PR#112: Fixed or no..?
Date Wed, 23 Apr 1997 15:25:00 GMT

Exactly right. We would essentially need to turn off the security 
checks if the referenced directory is scriptaliases just to get it 
to hand off to the suexec wrapper. Then the wrapper security takes 
effect which we could probably not easily satisfy it's security 

I think that one thing needs to be made very clear in the docs.

*** SUEXEC cannot seamlessly replace CGI execution. It offers some 
significant advantages to the security issues of CGI, but cannot 
be implemented transparently.

> Without looking at it, if you use a global ScriptAlias directive (eg. 
> cgi-bin), then normally you could access it (eg.
> http://virtual-host/cgi-bin/foo) from within a virtual host.  If you put a
> User directive in that virtual host, that means _all_ scripts run from
> that virtual host are run as that User, which means that the ownership of
> the global CGI dir probably isn't right.
> The obvious workaround is to use http://main-host/cgi-bin/foo instead, but
> I'm not sure if anything more can be done; haven't thought about it
> though...
> On Wed, 23 Apr 1997, Rodent of Unusual Size wrote:
> >     If I'm reading it correctly, PR#112 claims that User/Group/suexec
> >     use within a virtual server prevents ScriptAlias scripts from
> >     running under certain circumstances.  This sounds like a pretty
> >     serious problem, and I think it was fixed (if even reproduced).  Can
> >     someone who actually uses suexec confirm the status on this?
> > 
> >     #ken    :-/}
> > 

View raw message