"Gunther Birznieks" <[EMAIL PROTECTED]> wrote:
> In the context of what you are talking about, I think giving ExecCGI
> permissions should not allow them to change mod_perl handlers or do
> anything to adjust mod_perl either. ExecCGI is a lot less problematic than
> exposing access to mod_perl from a shared web server security standpoint
> especially if CGI's are suexec'ed.
>
> So I would advocate an ExecModPerl option or something like that so that
> user's could not arbitrarily install their own Perl Handlers.
>[snip]
> 1) users can only use specific modules (or modules in specific places)
> 2) users can't (by implication) use Apache::Registry unless I say so
> 3) users can't change PERL5LIB or use PerlSetEnv (or PerlPassEnv)
> 4) users can't include any Perl code indirectly or otherwise (e.g., <Perl>)
It seems like what you're really asking for is some sort of "LessModPerl" directive
that disallows raw perl (<perl> sections, PerlModule and PerlRequire directives,
others?) in .htaccess and limits @INC within .htaccess to a certain path, but allow
users to add
PerlSetVar youconfigvalue
PerlHandlder YourPredefined::handlers
to their .htaccess sections
I agree - this has very useful applications in shared hosting. Having developed on
large shared-server ISPs that successfully manage multiple developers, I've always
thought it was going to be problematic for ISP's to deploy it because all of mod_perls
power is just as easily invoked from .htaccess as it is from conf files (where the
shared users are forbidden to go).
that's where to enforce the security. administrators need to be able to set up the
server conf files such that users can use .htaccess to configure what mod_perl
handlers they want to use, but they can't specify handlers outside of a read-only (to
them) "handlerlib" area and so cannot write their own handlers, "PerlRequire" scripts,
or "PerlModule" modules.
-dave
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
