*BSD News Article 68606


Return to BSD News archive

Newsgroups: comp.unix.bsd.386bsd.misc
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.rmit.EDU.AU!news.unimelb.EDU.AU!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!cancer.vividnet.com!hunter.premier.net!bofh.dot!news.mathworks.com!newsfeed.internetmci.com!tank.news.pipex.net!pipex!usenet2.news.uk.psi.net!uknet!uknet!newsfeed.ed.ac.uk!edcogsci!richard
From: richard@cogsci.ed.ac.uk (Richard Tobin)
Subject: Re: personal cgi on bsd
X-Nntp-Posting-Host: pitcairn
Message-ID: <DrEEvG.JLM@cogsci.ed.ac.uk>
Sender: cnews@cogsci.ed.ac.uk (C News Software)
Organization: HCRC, University of Edinburgh
References: <4msvm4$d0k@ns2.ryerson.ca> <4mv70t$fl7@innocence.interface-business.de>
Date: Tue, 14 May 1996 13:59:40 GMT
Lines: 35

In article <4mv70t$fl7@innocence.interface-business.de> joerg_wunsch@interface-business.de (Joerg Wunsch) writes:
>You can certainly find a trick to circumvent the deliberate security
>measures of your web server -- but i wouldn't do it.

It's hardly a trick: last time I did it it was just a case of adding
"AddType application/x-httpd-cgi .cgi" to srm.conf and "Options
ExecCGI" to access.conf.  If this is a trick, then making a directory
world-readable by doing "chmod a+rx" is a trick.

>If you can trust
>your users that much that you'd like to bless all their CGI scripts
>unseen, you can as well include them into the webadmin group, and make
>the CGI directory writeable for this group.

This is much less convenient.  It makes it much harder to test new
versions of a Web document: if you refer to scripts by relative URLs
you can just move an entire directory tree into place once it's ready.
If scripts have to go in a fixed place, you can't run two versions
in parallel without renaming the scripts.

Of course you have to decide how much you trust your users: both their
integrity and their competence.  If they're malicious they can run
programs that listen on sockets and do whatever they want; even with a
firewall they can forward their mail messages to a program that
executes the contents.  The main problem with CGI scripts is that it's
easy to make a mistake, especially if you write in shell-like
languages with hard-to-untangle evaluation rules ("so how many quotes
and backslashes do I need here?").

-- Richard

--
"Hither turn thy steps, hither come to thy death and for Camilla
receive due guerdon!  Shalt thou, even thou, die by Diana's darts?"
                                              [Virgil, Aeneid X1 855-7]