[5059] in WWW Security List Archive
RE: user cgi-advice SUMMARY
daemon@ATHENA.MIT.EDU (DeepSummer-HomeofWebSiteDesignsExt)
Sun Apr 13 21:30:22 1997
From: Deep Summer - Home of Web Site Designs Extraordinare
<frank@deepsummer.com>
To: Abigail <abigail@fnx.com>, "'elroy'" <elroy@kcsun3.kcstar.com>
Cc: "www-security@ns2.rutgers.edu" <www-security@ns2.rutgers.edu>
Date: Sun, 13 Apr 1997 13:47:00 -0600
Errors-To: owner-www-security@ns2.rutgers.edu
> don't personally have a problem with Apache on Linux or FreeBSD on a PC, but
> my customers want something better.
Better than Apache? ... (falling... falling... *klunk*...)
----------
From: elroy[SMTP:elroy@kcsun3.kcstar.com]
Sent: Friday, April 11, 1997 7:44 AM
To: Abigail
Cc: www-security@ns2.rutgers.edu
Subject: Re: user cgi-advice SUMMARY
On Fri, 11 Apr 1997, Abigail wrote:
> It's odd that it makes you paranoid when you give them a compiler, yet
> you give them perl. Who needs a compiler when you have perl?
Who needs Perl when you have a compiler? ;)
I wouldn't even give them Perl if I could help it, but the point of my
original post was to enable user-generated CGI in a secure manner.
The Webmasters want Perl. Also, a Perl program IS it's own source, and it
makes it convenient for me if I want to see what it does. With a binary,
the source need not be available. Leaves me looking at "black box" programs,
and wondering what they do, etc. I really don't want to read their
programs, but at least they're there if I need them.
> It have have been easier to give them their own machine. Buy a Pentium,
> but a free Unix on it, and let them have their way with it.
I have to disagree with you on this point.
I don't need another machine to worry
about. I also don't want to spend the money, either on the hardware, or the
software. It *is* an attractive solution, but creates more problems than
solutions in my case. I think if it's appropriate for you, it's a good
choice.
My clients have a right to expect a level of performance, and I'm
professionally obligated to provide a stable and secure environment for them
to conduct their business. I can't really say "Sorry, your site is down
because I let the users have their way with it" and expect to stay in
business. I'm much more familiar with securing Irix and Solaris
than Linux or FreeBSD, so I use what I know.
Additionally, my clients won't tolerate the notion of the thing. They
want to be on a *server*, NOT on a PC. They want their site serviced by
server *software*, not freeware. I provide this for them, and they pay for it. I
don't personally have a problem with Apache on Linux or FreeBSD on a PC, but
my customers want something better. I also prefer working on higher-end
equipment, so we all get something out of it :)
-elroy (elroy@kcstar.com)
