[unisog] creating secure asp/cgi servers

Christopher A Bongaarts cab at tc.umn.edu
Tue Jun 4 15:54:28 GMT 2002


As Mark Brochu once put it so eloquently:

> Currently we do not offer students the ability to have scripting on their
> web pages for security reasons.  I was wondering how any of you deal with
> this issue.  I thought I heard about wrapping software to prevent poorly
> written scripts from doing any damage.  Any references to some material
> would be greatly appreciated.

Speaking from the UNIX point of view, Apache comes with su_exec
<http://httpd.apache.org/docs/suexec.html> that is used to run CGI's
and SSI's as a particular user (also used for allowing virtual hosts
to run as a different user from the main web server).

A more general solution is cgiwrap <http://cgiwrap.unixtools.org/>,
which is a setuid CGI script that runs other CGI's.

%%  Christopher A. Bongaarts  %%  cab at tc.umn.edu       %%
%%  Internet Services         %%  http://umn.edu/~cab  %%
%%  University of Minnesota   %%  +1 (612) 625-1809    %%



More information about the unisog mailing list