httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] Apache CGI security
Date Mon, 16 Jul 2007 15:55:52 GMT
On 7/16/07, Carlos Eduardo Maiolino <maiolinux@gmail.com> wrote:
> Sorry but, it's wrong.
>
> All users of the system need access in the /etc/passwd.
>
> I won't cgi-scripts list the /etc/passwd

There are some solutions that involve chrooting, SELinux, or similar
restrictions layered on top of basic unix permissions.

But you really hit the key point in "all users of the system need
access ..." CGI scripts are simply programs run by your users. If you
users can access /etc/passwd through the shell, then they can access
it through CGI, and there is no real difference in security. So if
someone already has a shell account, then there is really no extra
security issue in them writing CGI scripts (under suexec) -- the risks
are about the same.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message