Securing cgi scripts

[DAve]

Good morning all,

I have been working on an issue here where I am being asked if we can
support letting clients install and run their own CGI scripts on a
shared vhost. I have tried sbox and cgiwrap, both which worked, but they
cannot stop the one test of reading the /etc/passwd file.

Forgive my ignorance here, but I thought CGIs were gone long ago and
have not messed with them in over ten years. If a client really needs a
specfic CGI script hosted, I check it out thoroughly and install it
where they cannot reach it. Those instances are very very rare.

It looks to me like the only way to keep a client contained is to run
their CGIs chrooted. Would this be correct?

DAve
-- 
"Posterity, you will know how much it cost the present generation to
preserve your freedom.  I hope you will make good use of it.  If you
do not, I shall repent in heaven that ever I took half the pains to
preserve it." John Adams

http://appleseedinfo.org