On Fri, 14 Apr 2000, Ime Smits wrote:
> | I also have ASP installed, and I'd like to be able to transparently suid
> | the .asp scripts too. Do you know how I could go about doing this?
>
> I think this is a general bad idea. The only purpose of running scripts via
> a suexec or setuid mechanism I can think of is to stop different users &
> websites running an the same httpd digging and interfering in each other's
> data and files.
This server is used by many unaffiliated people who run their own
websites. Some people want to write their own CGI or ASP scripts that work
with files. The simplest example is a form that can be filled out and
stores the data in a file. If I don't suid their scripts, then they can
mess up each others' data files. They also cannot write data files into
their own directories.
Also, my system has cgiexec (does suid for CGI scripts) installed. The
cgiexec documentation says that once cgiexec is installed, it is a
security risk if people can execute code as "nobody" since that user has
special access to the cgiexec code. Right now, anyone can execute code as
nobody by writing ASP code, so in essence I have a security hole in my
system, and I DO need cgiexec.
So, does anyone have suggestions on how to do suid for ASP scripts?
> If you're not trusting the people making websites and you're looking for a
> virtual hosting solution, I think some postings earlier this week about
That's exactly the case here.
> proxying requests to a user-dedicated apache listening on localhost is the
> best solution.
Wouldn't this require running one web server process for each user? I may
be wrong, but it seems to be simpler to just suid their scripts.
-Philip Mak ([EMAIL PROTECTED])
