httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lewis Watson" <li...@visionsix.com>
Subject Re: [users@httpd] Re: CGI - Disable #!/bin/sh
Date Sun, 24 Nov 2002 00:31:45 GMT
----- Original Message -----
From: "Steve" <steve123@iprimus.com.au>
To: <users@httpd.apache.org>
Sent: Saturday, November 23, 2002 6:08 PM
Subject: [users@httpd] Re: CGI - Disable #!/bin/sh


> Hi,
>      How do u stop a client from using like
>
>  ---hack.cgi---
>  #!/bin/sh
>  echo "Cat all files in user2 dir"
>  cat /home/web/users/user2/web/*
>  --hack.cgi---
>
>  This will allow someone to cat all the files of a user2's dir. Because
all
>  the files need to be readable by all for the webserver user www to be
able
>  to read the files this user will be able to read the files also..
>
>  Is there anyway of making cgi to stay in its own directory and not
allowed
>  to go out of it.. or to stop it from running /bin/bash or something like
>  that so it cant view other users files..
>
>  /Steve


Hi Steve.
Suexec should do what you want..
http://httpd.apache.org/docs/suexec.html
hth,
Lewis


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message