I am renting server space on a shared machine which runs my site, and others, as virtual domains on a single instance of Apache. CGI programs run under the uid 'nobody', as does the server itself. This means that if I want to provide write access to a data file, I must allow world write access to that file. It also means that if my CGI program creates a data file, that file is owned by 'nobody' and I do not have full privileges over my own data. Since the box has multiple legitimate users, all users of the box have just as much access to my data as I do. To me, this is a problem. It's both a security problem (protecting my data) and an administrative problem (changing permissions on files created by the CGI script). I've asked the owner of the server to enable the suEXEC feature of Apache. The response I've gotten is that this is a security vulnerability. Indeed, the Apache docs (http://httpd.apache.org/docs/suexec.html) warn that "However, if suEXEC is improperly configured, it can cause any number of problems and possibly create new holes in your computer's security. If you aren't familiar with managing setuid root programs and the security issues they present, we highly recommend that you not consider using suEXEC." The previous sentence, however, notes that "Used properly, this feature can reduce considerably the security risks involved with allowing users to develop and run private CGI or SSI programs." I understand that using suEXEC opens my own account up to any security holes introduced by my own CGI scripts. I'm certainly willing to accept that responsibility and risk. I don't understand what risks there are to the server and machine as a whole, such that the server owner should be reluctant to enable this feature. Could someone please tell me what are the risks and how are these risks controlled in typical "good" use of suEXEC? - George -- ---------------------------------------------------------------------- George Dinwiddie gdinwiddieat_private The gods do not deduct from man's allotted span those hours spent in sailing. http://www.Alberg30.org/ ----------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu May 23 2002 - 12:51:03 PDT