On 10/24/12, Pete Houston <ph1@xxxxxxxxxxxxxxxx> wrote: > On Tue, Oct 23, 2012 at 12:38:39PM +1000, Nick Edwards wrote: >> was hoping for a general cgi solution tha works the same, perhaps its >> there and my google fu is failing me today? > > Something like sbox? http://stein.cshl.org/software/sbox/ > >> If not, could this be a feature request, it can not be that much of a >> resource issue as far as I can see since it already does this for php >> module. >> maybe --with-suexec-docroot=/var/www could be modified to stop upper >> level traversals? >> I am not a programmer so I have idea. > > I do not see any need to have this in core apache. There is already a > DocumentRoot for non-CGI restrictions and if you want to impose similar I beg to differ, apache is the web server software, it should be responsible for things like this, certainly the CGI component, it surely would not be too much more work for it to lock things down above the document root for user access, it does it for web pages already, perhaps apache developer could chime in with his or her opinion on this? Maybe one of the mod_cgi devs could have a comment, perhaps it is better suited to them. sbox looks like "just another wrapper", so, like works like suphp etc, we are the mercy of some third party who may, or may not continue to develop and fix exploits in it, modernize it for todyas compilers, whatever, the last update to sbox was 2005. and yes, suphp, like phpsuexec have both had, in years not so long ago had not so good reputation in security. A gentleman I work with has told me he tried sbox back in 2006, he was not impressed with its performance, perhaps this is why a project that reports to be around for long time, has little been heard of, I don;t know, but I would be hesitant to use an unknown third parts wrapper. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|