X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=userv-utils.git;a=blobdiff_plain;f=www-cgi%2Fwww-cgi;h=364f7e526a08aca607d564ef9025f1b90a3ab4d1;hp=c3dabfc4addd61758980b39105fac2d8a9362b6a;hb=186ea161e7d144dd8e3791f174a7173e2f399346;hpb=2cbcd670c5dfcda374720737fa5a5cd0be93e338

diff --git a/www-cgi/www-cgi b/www-cgi/www-cgi
index c3dabfc..364f7e5 100644
--- a/www-cgi/www-cgi
+++ b/www-cgi/www-cgi
@@ -1,3 +1,18 @@
+# This service which allows CGI programs to be provided which do not
+# run as the webserver user, but instead are owned by a particular
+# other account.
+#
+# Similar effects can be achieved with Apache's suexec; this facility
+# is for administrators who do not trust suexec and wish to defend the
+# webserver from the CGI script providers, and vice versa, as much as
+# possible.  This is achieved by using userv to do the cross-account
+# call, rather than a custom setuid helper.
+#
+# This default configuration allows the webserver user to invoke
+# users' CGI programs from each user's ~/public-cgi, but to allow
+# external http clients to do this, the webserver will also need to be
+# configured.
+
 if ( grep service-user-shell /etc/shells
    & glob calling-user www-data
    )