httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve" <steve...@iprimus.com.au>
Subject Re: [users@httpd] Re: CGI - Disable #!/bin/sh
Date Sun, 24 Nov 2002 02:50:56 GMT
Ive got it installed..

but it there a way u can bypass the uid and gid checks..

My Web users are not in /etc/passwd.. so suexec is spitting out invalid
user...

Is there a way u can get apache to use a different passwd file or somethig?
----- Original Message -----
From: "Lewis Watson" <lists@visionsix.com>
To: <users@httpd.apache.org>
Sent: Sunday, November 24, 2002 11:31 AM
Subject: Re: [users@httpd] Re: CGI - Disable #!/bin/sh


> ----- Original Message -----
> From: "Steve" <steve123@iprimus.com.au>
> To: <users@httpd.apache.org>
> Sent: Saturday, November 23, 2002 6:08 PM
> Subject: [users@httpd] Re: CGI - Disable #!/bin/sh
>
>
> > Hi,
> >      How do u stop a client from using like
> >
> >  ---hack.cgi---
> >  #!/bin/sh
> >  echo "Cat all files in user2 dir"
> >  cat /home/web/users/user2/web/*
> >  --hack.cgi---
> >
> >  This will allow someone to cat all the files of a user2's dir. Because
> all
> >  the files need to be readable by all for the webserver user www to be
> able
> >  to read the files this user will be able to read the files also..
> >
> >  Is there anyway of making cgi to stay in its own directory and not
> allowed
> >  to go out of it.. or to stop it from running /bin/bash or something
like
> >  that so it cant view other users files..
> >
> >  /Steve
>
>
> Hi Steve.
> Suexec should do what you want..
> http://httpd.apache.org/docs/suexec.html
> hth,
> Lewis
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message