The following reply was made to PR mod_cgi/918; it has been noted by GNATS.
From: "Tyler J. Allison" <[EMAIL PROTECTED]> To: Dean Gaudet <[EMAIL PROTECTED]> Subject: Re: mod_cgi/918: if not using suexec, apache forces user to use server gid/uid settings Date: Sat, 26 Jul 1997 21:33:16 -0700 > The last line of can_exec is: > > return (finfo->st_mode & S_IXOTH); > > Do you not have the o+x bit set? Why would I want other people on my system able to execute other peoples cgi-bin files, just so the web server can do it? In my opinion this "requirement" that cgi-bin's either be called using apache's suexec program or be set world executable is unacceptable, and should be placed as a compile time option. When placed as a compile time option maybe it can be described as apache enforcing file mode checking or something. However, we have our own cgi-bin wrapper that does more extensive checks, logging, and then the change of user id before execution than the one shipped with apache. We would prefer to just use a compile time option instead of having to patch every release before compiling. -Tyler .-- --. | Tyler Allison | Sterling Software | Voice: (415) 604-6629 | | Network Engineer I | M/S 258-6 | Fax: (415) 604-4377 | | LAN/Security Group | NASA Ames Research Center +-----------------------+ | NAS Facility | Moffett Field, CA 94035 | [EMAIL PROTECTED] | `-- --'
