On 7/16/07, Carlos Eduardo Maiolino <[EMAIL PROTECTED]> wrote:
Sorry but, it's wrong.
All users of the system need access in the /etc/passwd.
I won't cgi-scripts list the /etc/passwd
There are some solutions that involve chrooting, SELinux, or similar
restrictions layered on top of basic unix permissions.
But you really hit the key point in "all users of the system need
access ..." CGI scripts are simply programs run by your users. If you
users can access /etc/passwd through the shell, then they can access
it through CGI, and there is no real difference in security. So if
someone already has a shell account, then there is really no extra
security issue in them writing CGI scripts (under suexec) -- the risks
are about the same.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
