[PLUG] SSI includes cool, but I guess they aren't compiled in...
Grish
grishnav at egosurf.net
Sun Aug 31 01:28:02 UTC 2003
Michael C. Robinson wrote:
>Any way to address these weaknesses?
>
> -- Michael
>
>
Which weaknesses?
CGI can be done realtively securely via suEXEC, which is why it's a nice
plus that SSIs happen to also run through it when available. First of
all, they are run as the user who owns them, which helps to contain
damage done by malicious and/or broken scripts to the user who installed
them. Second, it employs a series of sanity checks that keeps stupid
users from compromising themselves. (User: "Yay! Let's make all our
executables 0777!" suEXEC: "No fucking way. kthx.")
Of course, this relies on the integrity of the suEXEC executable. The
hope is that suexec has a secure executable, because special attention
was given to security in reguards to that particular piece of code. (Not
to mention that comprimising suEXEC would mean gaining root access,
since the module requires suid root to run correctly.)
Second, Apache has a set of resource limitations that can be enacted,
helping to prevent a local DoS attempt.
What other concerns do you have?
--
Grish <grishnav at egosurf.net>
More information about the PLUG
mailing list