On January 26, 2012 13:51 , Doug McNutt <douglist@xxxxxxxxxxxxxxx> wrote:
At 09:56 -0500 1/26/12, Mark Montague wrote, and I snipped a bunch:On January 26, 2012 2:50 , Tarzan Jane<mailto:lapierre62@xxxxxxxxxxx><lapierre62@xxxxxxxxxxx> wrote:Concerning the security I believe when using binary scripts, security is increased some levels. Since the cgi binaries are no longer acsii files, injecting or altering code is hardly possible.If you use binary executable instead of interpreted scripts, it's true that you eliminate some security concerns. [...] However, there are still many security concerns which still exist. And there are types of attacks that binary executables are *more* vulnerable to than scripts -- for example, buffer overflow and/or stack smashing attacks.What about cgiwrap ? Is it still supported? Can it do the job? I know it's not a perfect solution but at least it's an attempt.
cgiwrap (and suexec) can handle changing to a different user. It's main benefit are that it can choose which user to change to based on which CGI is requested. In a situation where you are only changing to one other user (root), benefits of cgiwrap are minimal -- mainly sanitizing the environment and performing some pre-execution sanity checks. Using cgiwrap won't protect against security flaws in the CGI itself (lack of input sanitation, buffer overflows, race conditions, etc.)
-- Mark Montague mark@xxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|