On Wed, 23 Nov 2005, Russ Allbery wrote: > Tim Spriggs <[EMAIL PROTECTED]> writes: > > > Of course, this doesn't completely solve the problem, right? As long as > > the webserver can see it and other people can run stuff as the webserver > > (like a quick perl/cgi script) > > Right, that's why you don't allow the second one, or if you do, you run > those programs with a different set of credentials than the server using a > hacked suexec. >
Not allowing the second one is silly in our case, we have a lot of content in user home directories. So you are running everything in suexec as a secondary user? This mechanism doesn't have any problems with afs/kerberos credentials being passed on or is that what is hacked about it? Also, does this incur performance problems? We have been slashdotted a few times and we do our best to keep the server slashdott'able (if that's even a word...) Personally, I've never liked the idea of enabling suexec in apache, but then that might be my own ignorance of the codebase. Maybe an apache/afs document can be made. I might be able to implement the beginnings of such a beast or even modify an existing document to bring it up to speed. Thanks, -Tim _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
