[ic] suid vs. suexec with limited cgi-bin contents
interchange-users@interchange.redhat.com
interchange-users@interchange.redhat.com
Tue Mar 5 21:59:01 2002
On Tue, Mar 05, 2002 at 07:29:23PM -0500, Jon Jensen wrote:
> On Tue, 5 Mar 2002, John Young wrote:
>
> > What is considered better from a security standpoint (yeah,
> > I know there are a lot of variables even in this comparison):
> >
> > A) vlink as the only file in cgi-bin, suid, owned by the
> > interchange user, and a-w on it and the cgi-bin directory.
> >
> > -or-
> >
> > B) same as above, but apache with suexec, and no suid on vlink.
>
> I don't think there's much of a difference. With (B) you're trusting
> suexec and the operating system setuid, and with (A) you're just trusting
> the OS setuid. But suexec has been pretty rigorously tested.
>
> Either way is fine.
An suid vlink is pretty basic. Look at the code and compare that with
an suexec capable apache. KISS. :-)
If you have root privs, then suid is probably going to work better
in the big picture.
cfm
--
Christopher F. Miller, Publisher cfm@maine.com
MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039
1.207.657.5078 http://www.maine.com/
Content/site management, online commerce, internet integration, Debian linux