> I am looking at giving some of my users access to putting
> up thier own cgi scripts (ugh), and I was looking for a
> safe way to do that. I have the cgiwrap program that
> does a suid to the user.
First of all, I assume you *have* to do this. An option not to
do that would be to provide a mirror of the server inside for them to
develop CGI scripts on, and a procedure whereby they vett them through
some knowledgeable people to make sure they're not giving away the
farm. At that point you move their script to the appropriate place on
your server. Obviously you need some rules about what they can use for
CGI development, etc, but this is usually preferable to having it wide
> What I would like to do is have it also chroot to a
> protected area where it could only do limited damage.
> (The problem with just cgiwrap is that while my users
> won't be intentionally malicous they may be incompetent
> and someone else may be malicious).
I'd probably just chroot the whole web server (I.E. make a hole
for the daemon to run in) That and if your users can just write stuff
I'd probably want to make this just a "sacrificial" machine. I.E. not
even your real web server with your corporate image, etc. on it. Put it
outside, protect it the best you can, and bring it back when it
From: Ryan Mooney <ryan @