> I don't understand what risks there are to the server and > machine as a whole, such that the server owner should be > reluctant to enable this feature. Could someone please tell > me what are the risks and how are these risks controlled in > typical "good" use of suEXEC? I work as an admin at a hosting provider and I cannot imagine allowing CGIs to run in a mass hosting environment under apache without the use of suexec. Running end users' CGIs as the same user as the web server is asking for problems, IMHO. Suexec, when improperly configured, can create a security risk (as outlined in its installation documentation), but it is relatively simple to configure it properly. So, when improperly configured, suexec can pose a problem. When properly configured, it mitigates a variety of issues posed by running CGIs as the same user as the web server. Jeff
This archive was generated by hypermail 2b30 : Wed May 29 2002 - 10:39:33 PDT