I administer a couple of linux machines (potato based), and have a user which want to run cgi-bin scripts, and I would like to know if there are security concerns.
Currently all cgi-bin scripts which run are in /usr/lib/cgi-bin and owned by root. As far as I can tell Apache is configured to look only there for such scripts. My recollection is that is used to be otherwise. There is apparently an Apache option to allow users to run cgi scripts called suEXEC, but this looks like I could open myself for trouble than it is worth. On the other hand, there appears to be an easy solution, but I am unclear as the the security implications. Here is the proposed solution. To allow userX to execute cgi scripts from ~userX/public_html/cgi-bin, (As root) cd /usr/lib/cgi-bin mkdir userX cd userX ln -s ~userX/public_html/cgi-bin cgi-bin Then userX can access her scripts via http:// hostname/cgi-bin/userX/cgi-bin/script_name.cgi Since apache runs as www-data, does www-data own the cgi script? Does the user own the script? If the script executes rm -rf /*, what happens? Thanks for any advice. Thomas R. Shemanske Department of Mathematics Dartmouth College
