[cgiwrap-users] Re: cgiwrap-3.6.4/doc/install
Brought to you by:
nneul
Menu
▾
▴
[cgiwrap-users] Re: cgiwrap-3.6.4/doc/install
|
From: Nathan N. <nn...@um...> - 2000-09-13 12:52:39
|
nicholas cole wrote: > > The giant quote below is from cgiwrap-3.6.4/doc/install, > > "*VERY IMPORTANT* - Do NOT allow any non-trusted user to run > scripts directly out of the main cgi-bin directory, as this > will allow them to use cgiwrap to run any of the other users > scripts. The reason for this is that if they can run scripts > as the same userid as the web server, they can subvert some > of cgiwrap's security checks to allow them to run other > users scripts. I recommend not running ANY scripts on the > web server directly, once you have cgiwrap installed." > > Now what if the scipts in the main cgi-bin directory are > owned by a user other than that of the webserver, that user > being a trusted unused username, does that still carry the > above risk? > > -- > nicholas cole Yes, because regardless of who owns those scripts, they still run with the permissions of the web server as the userid that the web server runs as. If you wouldn't give that person root access, or access to any account on this system, don't let them control cgi's in the cgi-bin directory. -- Nathan ------------------------------------------------------------ Nathan Neulinger EMail: nn...@um... University of Missouri - Rolla Phone: (573) 341-4841 CIS - Systems Programming Fax: (573) 341-4216 |
