[5034] in WWW Security List Archive
Re: user cgi-advice SUMMARY
daemon@ATHENA.MIT.EDU (Abigail)
Fri Apr 11 18:23:34 1997
From: abigail@fnx.com (Abigail)
To: elroy@kcsun3.kcstar.com (elroy)
Date: Fri, 11 Apr 1997 15:11:16 -0400 (EDT)
Cc: abigail@fnx.com, www-security@ns2.rutgers.edu
Reply-To: abigail@fnx.com
In-Reply-To: <Pine.SUN.3.91.970411124727.26432A-100000@kcsun3.kcstar.com> from "elroy" at Apr 11, 97 01:44:41 pm
Errors-To: owner-www-security@ns2.rutgers.edu
You, elroy, wrote:
++
++ On Fri, 11 Apr 1997, Abigail wrote:
++
++ > It's odd that it makes you paranoid when you give them a compiler, yet
++ > you give them perl. Who needs a compiler when you have perl?
++
++ Who needs Perl when you have a compiler? ;)
++
++ I wouldn't even give them Perl if I could help it, but the point of my
++ original post was to enable user-generated CGI in a secure manner.
++ The Webmasters want Perl. Also, a Perl program IS it's own source, and it
++ makes it convenient for me if I want to see what it does. With a binary,
++ the source need not be available. Leaves me looking at "black box" programs,
++ and wondering what they do, etc. I really don't want to read their
++ programs, but at least they're there if I need them.
Well, they can still install a binary...
++ > It have have been easier to give them their own machine. Buy a Pentium,
++ > but a free Unix on it, and let them have their way with it.
++
++ I have to disagree with you on this point.
++
++ I don't need another machine to worry
++ about. I also don't want to spend the money, either on the hardware, or the
++ software. It *is* an attractive solution, but creates more problems than
++ solutions in my case. I think if it's appropriate for you, it's a good
++ choice.
++
++ My clients have a right to expect a level of performance, and I'm
++ professionally obligated to provide a stable and secure environment for them
++ to conduct their business. I can't really say "Sorry, your site is down
++ because I let the users have their way with it" and expect to stay in
++ business. I'm much more familiar with securing Irix and Solaris
++ than Linux or FreeBSD, so I use what I know.
I'm just saying that if you are so paranoid that user disrupt the server,
or files from other users, it might be better to give them their own
machine. If they then goof up, they only goof up themselves, and not
your other customers. And hey, it could even be a marketing ploy:
"You got your own server - there is noone to share it with".
But it's your business.
++ Additionally, my clients won't tolerate the notion of the thing. They
++ want to be on a *server*, NOT on a PC. They want their site serviced by
"server" is a function, "PC" is a form of hardware.
++ server *software*, not freeware. I provide this for them, and they pay for it. I
Bleh, as if freeware isn't software. :)
++ don't personally have a problem with Apache on Linux or FreeBSD on a PC, but
++ my customers want something better. I also prefer working on higher-end
++ equipment, so we all get something out of it :)
BTW, if they have a problem with 'freeware', why do they want perl?
Personnally, I have a preference for freeware, specially in cases when
there are bugs. Freeware (at least things like Linux, perl, etc) tend
to have the reported bugs fixed way faster than large commercial
software.
Abigail
