Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight

Re: Yet Another Security Question

by Aighearach (Initiate)
on Jun 24, 2001 at 00:01 UTC ( #91001=note: print w/replies, xml ) Need Help??

in reply to Yet Another Security Question

You don't need world writable directories.

(I'm assuming *nix here)

You need the directories to be writable by the webserver, which is usually the user called "nobody".

What I like to do is to set the group ownership to nobody, then set them user and group writable.

update: you might not be able to set group ownership to nobody if you're not root. If this is the case, you will have to ask your sysadmin to do it. (there is probably no workaround)
Snazzy tagline here

Replies are listed 'Best First'.
Re: Yet Another Security Question
by cLive ;-) (Prior) on Jun 24, 2001 at 01:03 UTC
    Hmmm. But if I am another user on this box, I can set up a cgi script to update this data, because my cgi script is also run by the server as nobody. Yes?

    If you have root access or a friendly sysadmin, ask them to install cgiwrap. Then you can run scripts as yourself, and set datafile permissions to 600. The cobalt RaQ servers come with cgiwrap seamlessly installed (not a plug, have had both good and bad experiences with these).

    Alternatively, you can set the effective uid of the script with chmod u+s (I'm sure there are tutorials - I'm a little fuzzy on this as I use cgiwrap). Or write a C wrapper for the script and suid that (more robust for scripts that use system or backticks I think - but again, I'm not sure about this either, so look around).


    cLive ;-)

      Depending on your security needs... running your script as your user account will expose your personal data if there is a security bug. And that could be bad... particularly if you are using private key authentication, or have sudo access to some parts of the system. Whereas, if the webserver is compromised, you're exposing everybody's web data, probably the ftp server also, but not much else.
      Snazzy tagline here
Re: Re: Yet Another Security Question
by Graham (Deacon) on Jun 24, 2001 at 01:01 UTC
    Aighearach is correct.
    Generally you can only set the group ownership if you are a member of the new group to which you are changing or root under *nix

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://91001]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (4)
As of 2022-12-04 08:08 GMT
Find Nodes?
    Voting Booth?

    No recent polls found