> Welllll... an anonymous account that can't really do very much. As you
> said, "nobody" has very little access to anything.
Read this paragraph again:
> >This is where the fun starts. Since everything is run by the user
> >"nobody", cgis and server side includes are as well. Up until now, all
> >users could execute arbitrary code as user nobody. Nasty. This is a
> >gross security risk - basically we were giving you an anonymous account
> >to do what you wanted with.
> I think maybe we need to review this decision. I'm not a web expert by any
> stroke of the pen but I don't know that we've actually solved our problem.
> We may have made it worse:
You seem to be worried about the security of your own programs - you could
just as easily type rm -rf ~ in your shell as you could type it in a script.
What you should be careful about is writing cgis which execute commands based
on input from a form...
If you don't trust your cgi programs, you shouldn't put them on the web.
-- Ryan Heise <mac hacker>
"Indeed, it would not be an exaggeration to describe the history of
the computer industry for the past decade as a massive attempt to
keep up with Apple." - Byte, Dec. 94