Date: Fri, 19 Jan 2001 01:02:12 +0000 From: Tony Finch <dot@dotat.at> To: Dag-Erling Smorgrav <des@ofug.org> Cc: Gordon Tetlow <gordont@bluemtn.net>, "Michael R. Wayne" <wayne@staff.msen.com>, hackers@FreeBSD.ORG Subject: Re: Protections on inetd (and /sbin/* /usr/sbin/* in general) Message-ID: <20010119010212.A87258@hand.dotat.at> In-Reply-To: <xzpu26wvcfk.fsf@flood.ping.uio.no> References: <Pine.BSF.4.31.0101181119530.27604-100000@sdmail0.sd.bmarts.com> <xzpu26wvcfk.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Dag-Erling Smorgrav <des@ofug.org> wrote: >Gordon Tetlow <gordont@bluemtn.net> writes: >> If you are using apache (who isn't?), I highly suggest you look into using >> suexec. That way bad CGI programming is offloaded to the customer and not >> to your system. > >suexec has many weaknesses - amongst other problems, it does not set >resource limits; nor does it chroot as far as I recall. Apache itself has support for setting resource limits, although I agree that in many cases you may want them to be different between the httpd and the CGIs. I expect chrooting was left out because people who have the wit to set up a chroot are capable of adding a couple of lines to a C program. Tony. -- f.a.n.finch fanf@covalent.net dot@dotat.at "Because all you of Earth are idiots!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010119010212.A87258>