Securing cgi scripts
dave.list at pixelhammer.com
Fri Jan 22 14:55:57 UTC 2010
Good morning all,
I have been working on an issue here where I am being asked if we can
support letting clients install and run their own CGI scripts on a
shared vhost. I have tried sbox and cgiwrap, both which worked, but they
cannot stop the one test of reading the /etc/passwd file.
Forgive my ignorance here, but I thought CGIs were gone long ago and
have not messed with them in over ten years. If a client really needs a
specfic CGI script hosted, I check it out thoroughly and install it
where they cannot reach it. Those instances are very very rare.
It looks to me like the only way to keep a client contained is to run
their CGIs chrooted. Would this be correct?
"Posterity, you will know how much it cost the present generation to
preserve your freedom. I hope you will make good use of it. If you
do not, I shall repent in heaven that ever I took half the pains to
preserve it." John Adams
More information about the freebsd-questions