Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer

Re: Yet Another Security Question

by oneiros (Scribe)
on Jun 24, 2001 at 09:52 UTC ( #91029=note: print w/replies, xml ) Need Help??

in reply to Yet Another Security Question

There's a couple ways to get around this.

There's suexec (it's an automatic cgiwrap). This will run all cgi programs and scripts under a given user and group. This way you can have all your scripts, programs, datafiles and stuff rw to that user.

If you're using mod_perl, you can't use suexec. suexec works only with mod_cgi spawned processes. You can run an apache process as a normal user, and use mod_proxy to push the requests back and forth.

If you're working under a hosted environment, things get a little hairier. Most likely the above two options will not be available to you. You're probably working with mod_cgi and everything runs as nobody, httpd, www-data or similar. You can work around this, chmod the parent directory 777 and have a script make all the directories you need apache to write to. Request that script in your browser. Then immediately chmod 711 the directory you just changed to 777. You'll now have your needed directories created and owned by the httpd process, you will be able to have your scripts write freely to these, without having world writable files and directories laying about.

Replies are listed 'Best First'.
Re: Re: Yet Another Security Question
by spacewarp (Pilgrim) on Jun 25, 2001 at 10:53 UTC
    Of course, a sometimes serious drawback to having the scripts create the directories and files is that, if you need to access/move files manually, you may not be able to. I struggled with this issue for quite a while, until I hit upon the idea of setting my data files to 666, the directory to 711, and putting both in a place inaccessable to the web. Since the cgi script runs on the server, but many of the security risks are reduced by placing the world-writable files in a non-world-readable place.

    Just my 2¢


    Use of this advanced computing technology does not imply an endorsement
    of Western industrial civilization.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://91029]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (4)
As of 2022-12-07 00:20 GMT
Find Nodes?
    Voting Booth?

    No recent polls found