Ondřej Surý wrote: >> So the actual item for the wishlist is to be able to specify a user (or more >> than one) that are considered trusted. Suexec will then allow files >> owned by either the target user, or by a trusted user, to be executed. > > Use chattr +i <file> > > Ondrej.
That much we had already figured out. Alexander Prinsier wrote: >> Second, you could use "chattr +i" to prevent users from changing the >> wrapper. This is somewhat fragile, though, because backup programs >> usually will not restore the immutable flag. > > I've tried that approach, and it is indeed fragile. Certainly when I > want the cgi script itself to be autogenerated by another script, which > takes into account user preferences etc. Currently I do - chattr -i $file - replace $file - chattr +i $file :-| Fortunately though, one can still <Alias> stuff like PHP forum software etc. in the users' domains in order to keep it in a central location, as only the wrapper has the suexec limitations, but not what is called by the wrapper. As for the CGI scripts, you are right, keeping them in a central place is not currently possible. :-( What I/my control panel do is, there is a central location where these scripts are stored, an the users' cgi-bins are updated from that location. One however has to take precautions (e.g. in the form of cron jobs) to update the users once the central repository gets updated. This is a pity as otherwise the modfcgid/fastcgi+php variant works pretty well and is pretty secure too. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
