httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christian Ehlers" <ehl...@gmxpro.de>
Subject Re: [users@httpd] Securing cgi (suexec or another solution?)
Date Sat, 07 May 2005 22:11:11 GMT
Hello Marc,

thanks for the tip :)

After giving it some more thinking, I decided to split my webspace into 2 
different lvm partitions, one being mounted read-only and one being mounted 
read-write.

This way I can run my scripts by a non-apache user, and still ensure they 
cannot be modified by the user running them.

Regards,

 Christian
----- Original Message ----- 
From: "Marc Bentje" <noreply@htp-tel.de>
To: <users@httpd.apache.org>
Sent: Thursday, May 05, 2005 6:58 AM
Subject: Re: [users@httpd] Securing cgi (suexec or another solution?)


>
> Hello Christian,
>
> therefore i search a special version of chroot,
> searching a while, i find some mods
> that don't fit my needs but maybe yours
>
> try cgiwrap
>
> type it in sourceforge.net ... there are only two
> project for choice
>
> cheers
> marc
>
>
> Am Don, 2005-05-05 um 01.27 schrieb Christian Ehlers:
>> Hello,
>>
>>
>>
>> I have a question about securing my cgi scripts with suexec.
>>
>>
>>
>> I have successfully setup my apache2 (V.: 2.0.52) with suexec.
>>
>>
>>
>> I am trying to accomplish the following goals:
>>
>>
>>
>> The cgi script should NOT:
>>
>>    run as the apache user.
>>
>>    be able to write to itself.
>>
>>    be able to create files within it’s directory.
>>
>>    be able to write to other cgi scripts in the same directory.
>>
>>
>>
>>
>>
>> Unfortunately, suexec seems to require the directory and the cgi to be
>> executed to be belonging to the user/group that executes it.
>>
>>
>>
>> Is there any way to have suexec not check if the directory/program
>> belongs to them?
>>
>>
>>
>> I’d prefer to have my script owned by root and running under a normal
>> user that is not the apache user.  Is there any way to accomplish this
>> with either suexec or another solution?
>>
>>
>>
>> Thanks for any help.
>>
>>
>>
>> Regards,
>>
>>
>>
>>  Chris
>>
>>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message