Re: [cgiwrap-users] CGIWrap On Non-User Directories

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Apr 11, 2008, at 8:10 AM, Tim Gustafson wrote:
> is compiled in the mode that you have to specify which user you  
> want to
> execute the scripts as in the Apache configuration file, rather  
> than using
> the script owner's ID, and that doesn't work for my environment.  :\

Just for your knowledge, *every* time I've had to help someone figure  
out how their site was hacked, it was due to this particular setting:  
"execute by the script owner's ID"

The "brilliance" of this in a shared hosting environment is simple:   
from virtual host A, I can make a program run as user B because they  
own the file.  Given how badly written most programs are, it's  
downright simple to find something owned by someone else that will  
accept bad input and do something you want.

I simply can't fathom a useful way to do this that doesn't open the  
door wide open to getting hacked to pieces.

Valid ways to set user-id:
	hardcoded in apache config per virtual host
	determined based on hardcoded environment data per virtual host (ie  
document root)

-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness