From owner-freebsd-hackers  Thu Jan 18 17: 4:13 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from hand.dotat.at (sfo-gw.covalent.net [207.44.198.62])
	by hub.freebsd.org (Postfix) with ESMTP id 3166037B6A2
	for <hackers@freebsd.org>; Thu, 18 Jan 2001 17:03:56 -0800 (PST)
Received: from fanf by hand.dotat.at with local (Exim 3.15 #3)
	id 14JPwS-000E0H-00; Fri, 19 Jan 2001 01:02:12 +0000
Date: Fri, 19 Jan 2001 01:02:12 +0000
From: Tony Finch <dot@dotat.at>
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: Gordon Tetlow <gordont@bluemtn.net>,
	"Michael R. Wayne" <wayne@staff.msen.com>, hackers@FreeBSD.ORG
Subject: Re: Protections on inetd (and /sbin/* /usr/sbin/* in general)
Message-ID: <20010119010212.A87258@hand.dotat.at>
References: <Pine.BSF.4.31.0101181119530.27604-100000@sdmail0.sd.bmarts.com> <xzpu26wvcfk.fsf@flood.ping.uio.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <xzpu26wvcfk.fsf@flood.ping.uio.no>
Organization: Covalent Technologies, Inc
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Dag-Erling Smorgrav <des@ofug.org> wrote:
>Gordon Tetlow <gordont@bluemtn.net> writes:
>> If you are using apache (who isn't?), I highly suggest you look into using
>> suexec. That way bad CGI programming is offloaded to the customer and not
>> to your system.
>
>suexec has many weaknesses - amongst other problems, it does not set
>resource limits; nor does it chroot as far as I recall.

Apache itself has support for setting resource limits, although I
agree that in many cases you may want them to be different between the
httpd and the CGIs.

I expect chrooting was left out because people who have the wit to set
up a chroot are capable of adding a couple of lines to a C program.

Tony.
-- 
f.a.n.finch    fanf@covalent.net    dot@dotat.at
"Because all you of Earth are idiots!"


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message