You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by "Tyler J. Allison" <al...@nas.nasa.gov> on 1997/07/27 06:40:02 UTC
Re: mod_cgi/918: if not using suexec, apache forces user to use
server gid/uid settings
The following reply was made to PR mod_cgi/918; it has been noted by GNATS.
From: "Tyler J. Allison" <al...@nas.nasa.gov>
To: Dean Gaudet <dg...@arctic.org>
Subject: Re: mod_cgi/918: if not using suexec, apache forces user to use
server gid/uid settings
Date: Sat, 26 Jul 1997 21:33:16 -0700
> The last line of can_exec is:
>
> return (finfo->st_mode & S_IXOTH);
>
> Do you not have the o+x bit set?
Why would I want other people on my system able to execute other peoples
cgi-bin files, just so the web server can do it? In my opinion this
"requirement" that cgi-bin's either be called using apache's suexec program or
be set world executable is unacceptable, and should be placed as a compile
time option.
When placed as a compile time option maybe it can be described as apache
enforcing file mode checking or something.
However, we have our own cgi-bin wrapper that does more extensive checks,
logging, and then the change of user id before execution than the one shipped
with apache. We would prefer to just use a compile time option instead of
having to patch every release before compiling.
-Tyler
.-- --.
| Tyler Allison | Sterling Software | Voice: (415) 604-6629 |
| Network Engineer I | M/S 258-6 | Fax: (415) 604-4377 |
| LAN/Security Group | NASA Ames Research Center +-----------------------+
| NAS Facility | Moffett Field, CA 94035 | allison@nas.nasa.gov |
`-- --'