[ic] suid vs. suexec with limited cgi-bin contents
Jon Jensen
interchange-users@interchange.redhat.com
Tue Mar 5 19:30:01 2002
On Tue, 5 Mar 2002, John Young wrote:
> What is considered better from a security standpoint (yeah,
> I know there are a lot of variables even in this comparison):
>
> A) vlink as the only file in cgi-bin, suid, owned by the
> interchange user, and a-w on it and the cgi-bin directory.
>
> -or-
>
> B) same as above, but apache with suexec, and no suid on vlink.
I don't think there's much of a difference. With (B) you're trusting
suexec and the operating system setuid, and with (A) you're just trusting
the OS setuid. But suexec has been pretty rigorously tested.
Either way is fine.
Jon