please unsubscribe rhieat_private -----Oorspronkelijk bericht----- Van: Simon Burr [mailto:simesat_private] Verzonden: donderdag 30 mei 2002 19:30 Aan: Jeff Dafoe CC: George Dinwiddie; secprogat_private Onderwerp: Re: CGI security on a shared web server On Wed, May 29, 2002 at 03:46:54PM -0400, Jeff Dafoe wrote: > Each virtualhost is individually configured such that suexec executes CGIs >as the user/group that the virtual host owner logs in as. You can also add chroot()ing the user into their home directory and the configuration of resource limits as well. The chroot()ing bit does mean that you have to place various files which will be required by the user's CGI scripts into the user's home directory - you can use hard links (has problems with administration and needing to have the source files on the same partition as the home directories) or loopback mounts (setting up the mount points on the fly isn't a great idea on a heavily loaded system tho) to do this. You also have to be careful with what you place within the chroot() environment to make sure that the user can't gain root privs as its relatively simple to break out of a chroot() jail on most unix varients as root. The exception to this is FreeBSD which has chroot() return an error if the calling process has already called chroot() and it has a file descriptor open on a directory; this effectively stops the chroot() escape method. -- Simon the stressed http://www.bpfh.net/ simesat_private "Our company name changes so often we have to use plain mugs and PostIt notes"
This archive was generated by hypermail 2b30 : Fri May 31 2002 - 09:16:48 PDT