Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options

Re: Yet Another Security Question

by cLive ;-) (Prior)
on Jun 24, 2001 at 01:03 UTC ( #91004=note: print w/replies, xml ) Need Help??

in reply to Re: Yet Another Security Question
in thread Yet Another Security Question

Hmmm. But if I am another user on this box, I can set up a cgi script to update this data, because my cgi script is also run by the server as nobody. Yes?

If you have root access or a friendly sysadmin, ask them to install cgiwrap. Then you can run scripts as yourself, and set datafile permissions to 600. The cobalt RaQ servers come with cgiwrap seamlessly installed (not a plug, have had both good and bad experiences with these).

Alternatively, you can set the effective uid of the script with chmod u+s (I'm sure there are tutorials - I'm a little fuzzy on this as I use cgiwrap). Or write a C wrapper for the script and suid that (more robust for scripts that use system or backticks I think - but again, I'm not sure about this either, so look around).


cLive ;-)

Replies are listed 'Best First'.
Re: Re: Yet Another Security Question
by Aighearach (Initiate) on Jun 24, 2001 at 01:12 UTC
    Depending on your security needs... running your script as your user account will expose your personal data if there is a security bug. And that could be bad... particularly if you are using private key authentication, or have sudo access to some parts of the system. Whereas, if the webserver is compromised, you're exposing everybody's web data, probably the ftp server also, but not much else.
    Snazzy tagline here

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://91004]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others perusing the Monastery: (2)
As of 2022-12-04 08:10 GMT
Find Nodes?
    Voting Booth?

    No recent polls found