SPUG: Re: setuid & CGI security (was: site clutter)

Adam Monsen meonkeys at hotmail.com
Tue Jun 26 13:06:17 CDT 2001

>Another solution might be to give each user two accounts: a standard
>user account, which most files are owned by, and an individual web
>account that CGI's run as. A problem with this is that a tool would
>have to be provided to allow the standard user account to adjust
>ownership and permissions for the web account. I also know of no site
>that implements such a solution.

The University of Washington student webservers 
(http://students.washington.edu/) operate in a manner similar to this, but 
with a single login. Every user is given one shell account, for instance, 
meonkeys.user (user.group). CGIs would run as meonkeys.www. I am able to 
maintain CGIs in my document root becuase the setgid bit is on in this 
directory. The permissions are 2750 on my document root. Consequently, any 
directories created in the document root are 2755 (my umask being 022). It 
works fine. I could even make a file with 0700 permissions that holds a 
secret key, and this will be denied direct access through HTTP, but a CGI 
can still get to it.
Get your FREE download of MSN Explorer at http://explorer.msn.com

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     POST TO: spug-list at pm.org       PROBLEMS: owner-spug-list at pm.org
      Subscriptions; Email to majordomo at pm.org:  ACTION  LIST  EMAIL
  Replace ACTION by subscribe or unsubscribe, EMAIL by your Email-address
 For daily traffic, use spug-list for LIST ;  for weekly, spug-list-digest
  Seattle Perl Users Group (SPUG) Home Page: http://www.halcyon.com/spug/

More information about the spug-list mailing list