On January 26, 2012 13:51 , Doug McNutt <douglist@(protected):
> At 09:56 -0500 1/26/12, Mark Montague wrote, and I snipped a bunch:
>> On January 26, 2012 2:50 , Tarzan Jane<mailto:lapierre62@hotmail.com><lapierre62@(protected):
>>
>>> Concerning the security I believe when using binary scripts, security is increased some levels. Since the cgi binaries are no longer acsii files, injecting or altering code is hardly possible.
>> If you use binary executable instead of interpreted scripts, it's true that you eliminate some security concerns. [...] However, there are still many security concerns which still exist. And there are types of attacks that binary executables are *more* vulnerable to than scripts -- for example, buffer overflow and/or stack smashing attacks.
>
> What about cgiwrap ? Is it still supported? Can it do the job? I know it's not a perfect solution but at least it's an attempt.


cgiwrap (and suexec) can handle changing to a different user. It's main
benefit are that it can choose which user to change to based on which
CGI is requested. In a situation where you are only changing to one
other user (root), benefits of cgiwrap are minimal -- mainly sanitizing
the environment and performing some pre-execution sanity checks. Using
cgiwrap won't protect against security flaws in the CGI itself (lack of
input sanitation, buffer overflows, race conditions, etc.)


--
 Mark Montague
 mark@(protected)

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@(protected)
 "  from the digest: users-digest-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)