CGI security (fwd)

[Rob Hartill <ro...@imdb.com>]

----- Forwarded message from Graham King -----

Date: Wed, 23 Oct 1996 11:52:42 +0000
From: Graham King <gp...@kingston.ac.uk>
Subject: CGI security
To: apache-bugs@mail.apache.org

Not a bug, but a suggestion for future development - sorry if this is
the wrong place to mail it, but I couldn't see any more suitable mail
address on your web site.

Having all CGI scripts run as the same username is a major problem, and
one which is stopping me moving from the old CERN server to APACHE. With
CERN 3.0 I can, with some fiddling about,set things up so that each
users scripts run under that users userid and group, and so can't nobble
system files or files belonging to other users. On a server which is
shared by potentially thousands of staff and students, I can't get away
with not allowing them to expeiment with CGI scripts, and I certainly
don't trust any of them.

Ideally, I'd like to be able to nominate a user CGI subdirectory, just
like I can nominate a user "page" directory with the UserDir command.
Something like "UserExec dirname" which would allow users to put their
CGI scripts in the specified subdirectory of their home directory and
would then run them as a process belonging to that username.

----- End of forwarded message from Graham King -----