From owner-freebsd-questions@FreeBSD.ORG Fri Jan 22 14:55:57 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4B5B1065676 for ; Fri, 22 Jan 2010 14:55:57 +0000 (UTC) (envelope-from dave.list@pixelhammer.com) Received: from smtp2.tls.net (smtp2.tls.net [65.124.104.105]) by mx1.freebsd.org (Postfix) with ESMTP id 4A8C38FC1A for ; Fri, 22 Jan 2010 14:55:57 +0000 (UTC) Received: (qmail 70812 invoked from network); 22 Jan 2010 14:55:56 -0000 Received: by simscan 1.2.3 ppid: 70760, pid: 70809, t: 0.1197s scanners: attach: 1.2.3 spam: 3.2.1 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on smtp-2.tls.net X-Spam-Level: * X-Spam-Status: No, score=1.6 required=7.0 tests=ALL_TRUSTED,TVD_RCVD_IP autolearn=disabled version=3.2.1 Received: from 64-184-8-201.bb.hrtc.net (HELO ?192.168.1.46?) (ldg@tls.net@64.184.8.201) by ssl-smtp2.tls.net with ESMTPA; 22 Jan 2010 14:55:56 -0000 Message-ID: <4B59BC65.3040905@pixelhammer.com> Date: Fri, 22 Jan 2010 09:55:33 -0500 From: DAve User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: 'User Questions' X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Securing cgi scripts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2010 14:55:57 -0000 Good morning all, I have been working on an issue here where I am being asked if we can support letting clients install and run their own CGI scripts on a shared vhost. I have tried sbox and cgiwrap, both which worked, but they cannot stop the one test of reading the /etc/passwd file. Forgive my ignorance here, but I thought CGIs were gone long ago and have not messed with them in over ten years. If a client really needs a specfic CGI script hosted, I check it out thoroughly and install it where they cannot reach it. Those instances are very very rare. It looks to me like the only way to keep a client contained is to run their CGIs chrooted. Would this be correct? DAve -- "Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it." John Adams http://appleseedinfo.org