>On some systems, yes, people can "give away" files. Even on systems >where they can't, this would be a bad idea since people could do >malicious things to other people's accounts using their own binaries. >The more-secure solution that I was thinking of was simply hard-coding >a knowledge of the VirtualDocumentRoot into suexec so that cgi's Indeed, having suexec grab the uid of the VirtualDocumentRoot directory itself would be fairly safe ... right? >within a particular vhost were run under a particular userid. >As far as getting such a solution into the "mainline" apache httpd, I >guess it could be possible using a VirtualUserGroup directive, or >something of the sort. I'd have to think more about the security >implications. Hard-coding it into suexec would actually be more >secure, but you need to be very careful with any modification to >suexec. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|