On Fri, 24 May 2002, Lee E. Brotzman wrote: > I don't use suEXEC, mainly because it makes *all* the CGI scripts > setuid. [...] The living environment of any program invoked by suexec is cleaned up quite well. Most of the data that is allowed to pass through suexec can be provided by a remote attacker as well (and the rest, like the server version, should be irrelevant in most cases). > suEXEC also does nothing to actually protect the system from a poorly > written script. It just makes sure the location and ownerships are > right. The security hole your web service provider is worried about > probably stems from the idea of all of a sudden turning on hundreds of > setuid scripts of unknown quality on his system. It would be > manageable if you were leasing a single rack-mount machine, but for a > shared virtual hosting box, the liabilities are too high. What happens when an insecure CGI program is installed? 1. With suexec, only the account of the idiot who owns the insecure CGI program is compromised. 2. Without suexec, the account the daemon and all other CGI programs run under is compromised. Which one is better? It is a choice between two evils but I myself am going to pick (1) whenever I run a system with multiple users who do not trust one another (assuming I am going to enable CGIs at all). Is is better to let a user shoot into his/her own head than to let a user shoot into everyone's stomach. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
This archive was generated by hypermail 2b30 : Mon May 27 2002 - 15:43:47 PDT