On Wed, 23 Jul 1997, Jakob Borg wrote: > Hi. > > I want to enable the users of my webserver to use certain CGI-scripts > (provided by me) by using mod_include. > To do that, one would use the tag <!--#exec cgi="/cgi-bin/script" -->, > but one could also use the <!--"exec cmd="dangerous.command" -->. > That last possiblity is what I want to eliminate. One way would be to > remove /bin/sh, which is out of the question. Any other suggestions?
I had this exact same question about Stronghold (basically apache + ssl), and was told (and discovered) that if you accomplish this by setting IncludesNOEXEC for the users, and have them instead use #include virtual. This will cause any scripts that are called from a ScriptAlias directory to be run as cgi, and anything else included from a regular user directory included as text in the usual manner. Check out the docs for Apache for mod_includes for more info on this. Works great for us using Stronghold 1.3, your mileage may vary with Apache though. -Leigh ----------------------------------------------------------------------------- Leigh Koven [EMAIL PROTECTED] CyberComm Online Services http://www.cybercomm.net (732) 818-3333 telnet://cybercomm.net Tech Support/Inquiries should be sent to: [EMAIL PROTECTED] ----------------------------------------------------------------------------- -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .