[rt-users] Insecure dependency with FastCGI

Bob Goldstein bobg at uic.edu
Mon Nov 17 09:46:33 EST 2003


>Hanno Mueller wrote:
>
>> I'm trying to install RT on a Debian Stable box. Since Debian doesn't
>> come with Perl 5.8 yet, I compiled my own 5.8.2. It runs Apache 1.3.26
>> with FastCGI.

    ....
>
>Is anyone else running RT 3.0.6 as a CGI or as a FastCGI? I cannot 
>install mod_perl on this server, so any help is greatly appreciated.
>

    I have RT 3.0.6 running with FastCGI, perl 5.8.1.
    I have mod_perl installed, but I prefer fastcgi for RT
    so that I can run multiple instances of RT.

    In the process of flailing at this originally, I set
    apache to run as group 'rt'.  So I think perl doesn't see
    the fastcgi as running setgid, since RGID == EGID,
    and so doesn't run taint checks.  (That wasn't
    my original intention, just worked out that way.)

    In my case, I'm not using this server or apache instance
    for anything but RT, so tuning it to run RT is ok.
    That may or may not be ok for you.

      bobg



More information about the rt-users mailing list