On Mon, 17 Apr 2000, Ime Smits wrote:
> | Also, my system has cgiexec (does suid for CGI scripts) installed. The
> | cgiexec documentation says that once cgiexec is installed, it is a
> | security risk if people can execute code as "nobody" since that user has
> | special access to the cgiexec code. Right now, anyone can execute code as
> | nobody by writing ASP code, so in essence I have a security hole in my
> | system, and I DO need cgiexec.
>
> Like I said, doing something like suEXEC will solve your file access
> problems, but it won't prevent people from messing up things like the
> $Session and $Application objects which are accessible to all users running
> their site on this webserver. It won't even prevent a user to redefine a
> scalars, subroutines or even complete modules which are not belonging to
> their own scripts.
Huh? SuEXEC only works with mod_cgi (e.g. it requires the exec() part of
it's name to get the Su part), it is not applicable to the persistant
mod_perl world.
The rest of your discussion seems to relate to the persistance of
the mod_perl environment.
<rest of message snipped>
-Tom
