Once upon a time, Paul Adamson <[EMAIL PROTECTED]> said: > Research something called cgiwrapper, it's a 'sandbox' which the cgi gets to > play in to stop it breaking anything. Here it is...
RaQs (since the RaQ2 IIRC) already use cgi-wrapper. However, since Cobalt has always used a 100% wide-open Apache config, all it takes to avoid cgi-wrapper is: Options FollowSymLinks ExecCGI Includes SymLinksIfOwnerMatch AddHandler cgi-script .cgi in a .htaccess file to make your CGI run as user httpd and group httpd (which means you can avoid any disk quotas for your CGI generated files, CGI restrictions from the web interface, etc.). The option for enabling/disabling CGI in the web interface is a "feel good" option only; anyone with an account on a RaQ can run CGI. And through that, they can also get shell access (another Cobalt web interface option that is useless). On the RaQ3 and up, any user can also write mod_perl extensions that will run in the Apache server, which means that they can get into all kinds of stuff (including possibly SSL private certificates of other sites). -- Chris Adams <[EMAIL PROTECTED]> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. _______________________________________________ cobalt-developers mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-developers
