Re: [users@httpd] Securing cgi (suexec or another solution?)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Marc,

thanks for the tip :)

After giving it some more thinking, I decided to split my webspace into 2 different lvm partitions, one being mounted read-only and one being mounted read-write.

This way I can run my scripts by a non-apache user, and still ensure they cannot be modified by the user running them.

Regards,

Christian
----- Original Message ----- From: "Marc Bentje" <noreply@xxxxxxxxxx>
To: <users@xxxxxxxxxxxxxxxx>
Sent: Thursday, May 05, 2005 6:58 AM
Subject: Re: [users@httpd] Securing cgi (suexec or another solution?)



Hello Christian,

therefore i search a special version of chroot,
searching a while, i find some mods
that don't fit my needs but maybe yours

try cgiwrap

type it in sourceforge.net ... there are only two
project for choice

cheers
marc


Am Don, 2005-05-05 um 01.27 schrieb Christian Ehlers:
Hello,



I have a question about securing my cgi scripts with suexec.



I have successfully setup my apache2 (V.: 2.0.52) with suexec.



I am trying to accomplish the following goals:



The cgi script should NOT:

   run as the apache user.

   be able to write to itself.

   be able to create files within itʼs directory.

   be able to write to other cgi scripts in the same directory.





Unfortunately, suexec seems to require the directory and the cgi to be
executed to be belonging to the user/group that executes it.



Is there any way to have suexec not check if the directory/program
belongs to them?



Iʼd prefer to have my script owned by root and running under a normal
user that is not the apache user.  Is there any way to accomplish this
with either suexec or another solution?



Thanks for any help.



Regards,



 Chris




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux