Re: browser execution

Tony Sanders <sanders@bsdi.com>
Errors-To: sanders@bsdi.com
Errors-To: sanders@bsdi.com
Message-id: <9306291821.AA05096@austin.BSDI.COM>
To: www-talk@nxoc01.cern.ch
Subject: Re: browser execution 
In-Reply-To: Marc's message of Tue, 29 Jun 93 02:02:20 CDT.
Errors-To: sanders@bsdi.com
Reply-To: sanders@bsdi.com
Organization: Berkeley Software Design, Inc.
Date: Tue, 29 Jun 1993 13:21:01 -0500
From: Tony Sanders <sanders@bsdi.com>
Marc wisely said:
> Having browsers execute code is *very* scary.  Servers generally run
> (or should run -- no reason not to) as userid 'nobody', and as such
> can cause practically no damage to anything.  In any case, server
> writers have much more knowledge about what's going to happen and what
> could happen while writing a server than client users do while just
> randomly clicking hyperlinks.  I don't see as there's any reason to
> think that client-side execution is safer.

In either case you should probably **seriously** think about running
in a chroot()'ed environment (which requires root perms to setup
of course).

Also, what about DOS environments (et.al.) where you have neither file
permissions nor chroot().  I think you are just SOL.

--sanders