[496] in WWW Security List Archive
Re: Security risks with CGI
daemon@ATHENA.MIT.EDU (Darren Reed)
Fri Mar 3 08:22:37 1995
From: Darren Reed <darrenr@vitruvius.arbld.unimelb.edu.au>
To: t-jont@microsoft.com (Jonathon Tidswell)
Date: Fri, 3 Mar 1995 20:55:06 +1100 (EST)
Cc: hallam@dxal18.cern.ch, www-security@ns2.rutgers.edu, t-jont@microsoft.com
In-Reply-To: <9503030613.AA29617@netmail2.microsoft.com> from "Jonathon Tidswell" at Mar 3, 95 03:46:10 pm
Errors-To: owner-www-security@ns2.rutgers.edu
In some email I received from Jonathon Tidswell, they wrote:
>
>
> I believe most of Phil's concerns relate to the security offered by the
> shell (none).
> (IMO) A shell used in such an environment should offer more comprehensive and
> certainly more flexibility than the basic process security model.
> Similar problems exist under NT, the lack of setuid() removing some and
> the lack
> of chroot() adding others.
>
> I also believe that adding the code to the server is a worse solution.
> It is probably appropriate for the commercial vendors to include extras
> in their commercial offerings but in a research environment things change
> too fast too often that insufficiently analysed code would end up in
> the server.
>
> Comments ... ? ( on or off the list )
>
> - Jon Tidswell
What are the side effects/benefits of using rsh ? (restricted sh, not the
BSD remote sh).
darren
