[2871] in WWW Security List Archive
Re: Security aspects of Microsoft FrontPage server extensions?
daemon@ATHENA.MIT.EDU (David W. Morris)
Sun Sep 1 21:32:31 1996
Date: Sun, 1 Sep 1996 16:40:07 -0700 (PDT)
From: "David W. Morris" <dwm@shell.portal.com>
Reply-To: "David W. Morris" <dwm@shell.portal.com>
To: www-security@ns2.rutgers.edu
In-Reply-To: <199608311417.AA176861033@merle.acns.nwu.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
On Sat, 31 Aug 1996, Albert Lunde wrote:
> In the latest case, I made the administrative cgi binaries
> (which had to write to the database and config files)
> setuid and setgid to that user and group. (I also
> domain limited and password protected access.)
I've been wondering for a while why what I thought was such an obvious
solution hadn't been mentioned. One of my clients is shipping a
product I wrote over a year ago which insists very strongly that the
installer predefine a unique userid and group for execution of the
CGI.c binary. The install script does tue setu/gid magic automatically.
This let the CGI access private data and create data files which were
reasonably secure ... assuming the server system itself was carefully
administered.
Dave Morris
