[Date Prev][Date Next][Thread Prev][Thread Next][Interchange by date ][Interchange by thread ]

[ic] suid vs. suexec with limited cgi-bin contents

Subject: [ic] suid vs. suexec with limited cgi-bin contents
From: interchange-users@interchange.redhat.com (Jon Jensen)
Date: Tue Mar 5 19:30:01 2002
In-reply-to: <3C854C3E.BF88475F@sonic.net>

On Tue, 5 Mar 2002, John Young wrote:

> What is considered better from a security standpoint (yeah,
> I know there are a lot of variables even in this comparison):
>
> A) vlink as the only file in cgi-bin, suid, owned by the
>    interchange user, and a-w on it and the cgi-bin directory.
>
> -or-
>
> B) same as above, but apache with suexec, and no suid on vlink.

I don't think there's much of a difference. With (B) you're trusting
suexec and the operating system setuid, and with (A) you're just trusting
the OS setuid. But suexec has been pretty rigorously tested.

Either way is fine.

Jon

Follow-Ups:
- [ic] suid vs. suexec with limited cgi-bin contents
  - From: interchange-users@interchange.redhat.com (interchange-users@interchange.redhat.com)

References:
- [ic] suid vs. suexec with limited cgi-bin contents
  - From: interchange-users@interchange.redhat.com (John Young)

Prev by Date: [ic] Mac OSX viable as a development platform?
Next by Date: [ic] Mac OSX viable as a development platform?
Previous by thread: [ic] suid vs. suexec with limited cgi-bin contents
Next by thread: [ic] suid vs. suexec with limited cgi-bin contents
Index(es):
- Date
- Thread