http://qs321.pair.com?node_id=40187


in reply to Secure Permissions?

Just thought I'd point out that Apache can be also configured to run using a suid wrapper, so that CGIs can be run in mode 700 (rwx------) or 500 (r-x------). In this configuration, the CGIs execute as the user whose account corresponds to that directory. Thus, on a system that hosts many web accounts, a user can create a set of scripts which are executable, have the same access as that user, yet be unreadable by other users on the same system. The script can also then read and write files which the user can only access (mode 600: rw-------). I'm not sure how common this setup is (so far I've only run into two servers which have Apache set up this way; both were webhosting companies).

- Zoogie

Replies are listed 'Best First'.
RE: RE: Secure Permissions?
by Fastolfe (Vicar) on Nov 06, 2000 at 20:43 UTC
    If you have a system where you have a bunch of users executing their own CGI scripts, you probably want to do this, to limit the amount of damage a user can do. Take it a step further and put resource/file system limits on users as well.

    Just be advised that if you're allowing users to run their own CGI scripts, you can forget about security. Odds are, they've got some insecure stuff up there, and if your system is going to be compromised, this is definitely the way I'd try and do it. Except now instead of running as a 'nobody' user or a restricted web server user, they're running as a legitimate, real user on your system, which could make it a lot easier for them to get further.

[reply]

In Section Seekers of Perl Wisdom