Tim Spriggs <[EMAIL PROTECTED]> writes: > On Wed, 23 Nov 2005, Russ Allbery wrote: >> Tim Spriggs <[EMAIL PROTECTED]> writes:
>>> Of course, this doesn't completely solve the problem, right? As long as >>> the webserver can see it and other people can run stuff as the webserver >>> (like a quick perl/cgi script) >> Right, that's why you don't allow the second one, or if you do, you run >> those programs with a different set of credentials than the server >> using a hacked suexec. > Not allowing the second one is silly in our case, we have a lot of > content in user home directories. It depends on what you're serving; you can do quite a lot with static HTML generated via other mechanisms, or there's also things like PHP safe mode (if you can trust it). But yes, it doesn't work for a lot of things. > So you are running everything in suexec as a secondary user? For untrusted users, yes. > This mechanism doesn't have any problems with afs/kerberos credentials > being passed on or is that what is hacked about it? That's the part that's hacked about it. > Also, does this incur performance problems? It's certainly slower, and it means that you can't use mod_perl, mod_php, etc. and have to run an external interpretor. That's definitely not ideal, and it would be nice to have a better solution to that. But maintaining a separate token for a particular Apache thread is very hard. People doing things that require higher performance have to convince us that they know what they're doing and won't cause security vulnerabilities and can be trusted with the more general server credentials. (Which are still not particularly strong, to mention.) -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
