[5035] in WWW Security List Archive
Re: user cgi-advice SUMMARY
daemon@ATHENA.MIT.EDU (elroy)
Fri Apr 11 18:24:58 1997
Date: Fri, 11 Apr 1997 13:44:41 -0500 (CDT)
From: elroy <elroy@kcsun3.kcstar.com>
To: Abigail <abigail@fnx.com>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <199704111617.MAA01420@fnx.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Fri, 11 Apr 1997, Abigail wrote:
> It's odd that it makes you paranoid when you give them a compiler, yet
> you give them perl. Who needs a compiler when you have perl?
Who needs Perl when you have a compiler? ;)
I wouldn't even give them Perl if I could help it, but the point of my
original post was to enable user-generated CGI in a secure manner.
The Webmasters want Perl. Also, a Perl program IS it's own source, and it
makes it convenient for me if I want to see what it does. With a binary,
the source need not be available. Leaves me looking at "black box" programs,
and wondering what they do, etc. I really don't want to read their
programs, but at least they're there if I need them.
> It have have been easier to give them their own machine. Buy a Pentium,
> but a free Unix on it, and let them have their way with it.
I have to disagree with you on this point.
I don't need another machine to worry
about. I also don't want to spend the money, either on the hardware, or the
software. It *is* an attractive solution, but creates more problems than
solutions in my case. I think if it's appropriate for you, it's a good
choice.
My clients have a right to expect a level of performance, and I'm
professionally obligated to provide a stable and secure environment for them
to conduct their business. I can't really say "Sorry, your site is down
because I let the users have their way with it" and expect to stay in
business. I'm much more familiar with securing Irix and Solaris
than Linux or FreeBSD, so I use what I know.
Additionally, my clients won't tolerate the notion of the thing. They
want to be on a *server*, NOT on a PC. They want their site serviced by
server *software*, not freeware. I provide this for them, and they pay for it. I
don't personally have a problem with Apache on Linux or FreeBSD on a PC, but
my customers want something better. I also prefer working on higher-end
equipment, so we all get something out of it :)
-elroy (elroy@kcstar.com)
