Received: with LISTAR (v1.0.0; list gopher);
 Mon, 21 Jan 2002 20:49:54 -0500 (EST)
Return-Path: <rhahn@golden.net>
Delivered-To: gopher@complete.org
Received: from sodium.golden.net (sodium.golden.net [199.166.210.252])
	by pi.glockenspiel.complete.org (Postfix) with ESMTP id 7A0F63B8B2
	for <gopher@complete.org>; Mon, 21 Jan 2002 20:49:54 -0500 (EST)
Received: from localhost (AS53-05-165.cas-kit.golden.net [209.226.188.165])
	by sodium.golden.net (8.10.1/8.10.1) with ESMTP id g0M1nqe21858
	for <gopher@complete.org>; Mon, 21 Jan 2002 20:49:53 -0500 (EST)
Date: Mon, 21 Jan 2002 20:46:34 -0500
Subject: [gopher] Security issues in Gopher?
Content-type: text/plain; charset=US-ASCII
Mime-Version: 1.0 (Apple Message framework v480)
From: Robert Hahn <rhahn@golden.net>
To: gopher@complete.org
Content-Transfer-Encoding: 8bit
In-Reply-To: <87pu43g046.fsf@complete.org>
Message-Id: <DDDDD43B-0ED9-11D6-9A05-003065663F8C@golden.net>
X-Mailer: Apple Mail (2.480)
X-archive-position: 374
X-listar-version: Listar v1.0.0
Sender: gopher-bounce@complete.org
Errors-to: gopher-bounce@complete.org
X-original-sender: rhahn@golden.net
Precedence: bulk
Reply-to: gopher@complete.org
List-help: <mailto:listar@complete.org?Subject=help>
List-unsubscribe: <mailto:gopher-request@complete.org?Subject=unsubscribe>
List-software: Listar version 1.0.0
X-List-ID: Gopher <gopher.complete.org>
List-subscribe: <mailto:gopher-request@complete.org?Subject=subscribe>
List-owner: <mailto:jgoerzen@complete.org>
List-post: <mailto:gopher@complete.org>
List-archive: <http://www.complete.org/mailinglists/archives/>
X-list: gopher


While poking about on the web trying to determine whether anyone else 
has compiled Gopher on Mac OS X, I came across some references to 
security alerts regarding Gopher.  They all seem to talk about buffer 
overflow exploits.   Seeing that they're all attributed to 2.x versions 
of Gopher, I'm wondering:  with the recent work that has gone into it, 
have the programmers for the project made an effort to tackle security 
on a proactive basis instead of a reactive one?  I would hardly be 
unique by saying I don't want my system hacked. :)

A related question:  I've noticed that one way (and the existing 
documentation seems to imply that it's the preferred way) to run gopherd 
is as root.  I've been a web developer for many years, and I remember 
the days when the developers at Apache campaigned to get administrators 
to run their server as user nobody or www.  The reaoning behind it seems 
pretty sound to me (ie: user 'nobody' can't really do a whole lot of 
damage) so I'm wondering what it would take for me to run gopherd as 
nobody - and better still, why people are running it as root.

thanks, all!
-rh