Theoretically, you could run Apache::ASP scripts
as a CGI program, which could then inherit the suexec
environment for execution, creating $Session & such
as that suexec user.
Problem is that I have never gotten ASP to run as a full
CGI well. Check out the asp script in the distribution
cgi directory. You can then run an ASP script if you
have its #cgi line as #!/usr/local/bin/perl asp. I got it
working roughly once, everything except POST I believe,
so you might be able to patch the stuff up nicely.
Note that Apache::ASP will be dog slow run as a cgi
with all of the perl modules it "uses" in addition to
perl compiling its own 1000s of lines of code.
-- Joshua
_________________________________________________________________
Joshua Chamas Chamas Enterprises Inc.
NodeWorks >> free web link monitoring Huntington Beach, CA USA
http://www.nodeworks.com 1-714-625-40
Philip Mak wrote:
>
> On Fri, 14 Apr 2000, Ime Smits wrote:
>
> > | I also have ASP installed, and I'd like to be able to transparently suid
> > | the .asp scripts too. Do you know how I could go about doing this?
> >
> > I think this is a general bad idea. The only purpose of running scripts via
> > a suexec or setuid mechanism I can think of is to stop different users &
> > websites running an the same httpd digging and interfering in each other's
> > data and files.
>
> This server is used by many unaffiliated people who run their own
> websites. Some people want to write their own CGI or ASP scripts that work
> with files. The simplest example is a form that can be filled out and
> stores the data in a file. If I don't suid their scripts, then they can
> mess up each others' data files. They also cannot write data files into
> their own directories.
>
> Also, my system has cgiexec (does suid for CGI scripts) installed. The
> cgiexec documentation says that once cgiexec is installed, it is a
> security risk if people can execute code as "nobody" since that user has
> special access to the cgiexec code. Right now, anyone can execute code as
> nobody by writing ASP code, so in essence I have a security hole in my
> system, and I DO need cgiexec.
>
> So, does anyone have suggestions on how to do suid for ASP scripts?
>
> > If you're not trusting the people making websites and you're looking for a
> > virtual hosting solution, I think some postings earlier this week about
>
> That's exactly the case here.
>
> > proxying requests to a user-dedicated apache listening on localhost is the
> > best solution.
>
> Wouldn't this require running one web server process for each user? I may
> be wrong, but it seems to be simpler to just suid their scripts.
>
> -Philip Mak ([EMAIL PROTECTED])
51
