Return to BSD News archive
Newsgroups: comp.unix.bsd.386bsd.misc Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.rmit.EDU.AU!news.unimelb.EDU.AU!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!cancer.vividnet.com!hunter.premier.net!bofh.dot!news.mathworks.com!newsfeed.internetmci.com!tank.news.pipex.net!pipex!usenet2.news.uk.psi.net!uknet!uknet!newsfeed.ed.ac.uk!edcogsci!richard From: richard@cogsci.ed.ac.uk (Richard Tobin) Subject: Re: personal cgi on bsd X-Nntp-Posting-Host: pitcairn Message-ID: <DrEEvG.JLM@cogsci.ed.ac.uk> Sender: cnews@cogsci.ed.ac.uk (C News Software) Organization: HCRC, University of Edinburgh References: <4msvm4$d0k@ns2.ryerson.ca> <4mv70t$fl7@innocence.interface-business.de> Date: Tue, 14 May 1996 13:59:40 GMT Lines: 35 In article <4mv70t$fl7@innocence.interface-business.de> joerg_wunsch@interface-business.de (Joerg Wunsch) writes: >You can certainly find a trick to circumvent the deliberate security >measures of your web server -- but i wouldn't do it. It's hardly a trick: last time I did it it was just a case of adding "AddType application/x-httpd-cgi .cgi" to srm.conf and "Options ExecCGI" to access.conf. If this is a trick, then making a directory world-readable by doing "chmod a+rx" is a trick. >If you can trust >your users that much that you'd like to bless all their CGI scripts >unseen, you can as well include them into the webadmin group, and make >the CGI directory writeable for this group. This is much less convenient. It makes it much harder to test new versions of a Web document: if you refer to scripts by relative URLs you can just move an entire directory tree into place once it's ready. If scripts have to go in a fixed place, you can't run two versions in parallel without renaming the scripts. Of course you have to decide how much you trust your users: both their integrity and their competence. If they're malicious they can run programs that listen on sockets and do whatever they want; even with a firewall they can forward their mail messages to a program that executes the contents. The main problem with CGI scripts is that it's easy to make a mistake, especially if you write in shell-like languages with hard-to-untangle evaluation rules ("so how many quotes and backslashes do I need here?"). -- Richard -- "Hither turn thy steps, hither come to thy death and for Camilla receive due guerdon! Shalt thou, even thou, die by Diana's darts?" [Virgil, Aeneid X1 855-7]