RE: CGI security on a shared web server

From: Jeff Dafoe (jeffdat_private)
Date: Wed May 29 2002 - 08:59:44 PDT

Next message: Steffen Dettmer: "Re: CGI security on a shared web server (fwd)"

Previous message: Luciano Miguel Ferreira Rocha: "Re: CGI security on a shared web server (fwd)"
In reply to: Beatie, Breck (ISSMountain View): "RE: CGI security on a shared web server"
Next in thread: dreamwvr: "Re: CGI security on a shared web server"
Reply: dreamwvr: "Re: CGI security on a shared web server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>	I don't understand what risks there are to the server and
> 	machine as a whole, such that the server owner should be
> 	reluctant to enable this feature.  Could someone please tell
> 	me what are the risks and how are these risks controlled in
> 	typical "good" use of suEXEC?

	I work as an admin at a hosting provider and I cannot imagine allowing CGIs
to run in a mass hosting environment under apache without the use of suexec.
Running end users' CGIs as the same user as the web server is asking for
problems, IMHO.  Suexec, when improperly configured, can create a security
risk (as outlined in its installation documentation), but it is relatively
simple to configure it properly.
	So, when improperly configured, suexec can pose a problem.  When properly
configured, it mitigates a variety of issues posed by running CGIs as the
same user as the web server.


Jeff

Next message: Steffen Dettmer: "Re: CGI security on a shared web server (fwd)"
Previous message: Luciano Miguel Ferreira Rocha: "Re: CGI security on a shared web server (fwd)"
In reply to: Beatie, Breck (ISSMountain View): "RE: CGI security on a shared web server"
Next in thread: dreamwvr: "Re: CGI security on a shared web server"
Reply: dreamwvr: "Re: CGI security on a shared web server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 29 2002 - 10:39:33 PDT