SPUG: Re: setuid & CGI security (was: site clutter)
Adam Monsen
meonkeys at hotmail.com
Tue Jun 26 13:06:17 CDT 2001
>Another solution might be to give each user two accounts: a standard
>user account, which most files are owned by, and an individual web
>account that CGI's run as. A problem with this is that a tool would
>have to be provided to allow the standard user account to adjust
>ownership and permissions for the web account. I also know of no site
>that implements such a solution.
The University of Washington student webservers
(http://students.washington.edu/) operate in a manner similar to this, but
with a single login. Every user is given one shell account, for instance,
meonkeys.user (user.group). CGIs would run as meonkeys.www. I am able to
maintain CGIs in my document root becuase the setgid bit is on in this
directory. The permissions are 2750 on my document root. Consequently, any
directories created in the document root are 2755 (my umask being 022). It
works fine. I could even make a file with 0700 permissions that holds a
secret key, and this will be denied direct access through HTTP, but a CGI
can still get to it.
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
POST TO: spug-list at pm.org PROBLEMS: owner-spug-list at pm.org
Subscriptions; Email to majordomo at pm.org: ACTION LIST EMAIL
Replace ACTION by subscribe or unsubscribe, EMAIL by your Email-address
For daily traffic, use spug-list for LIST ; for weekly, spug-list-digest
Seattle Perl Users Group (SPUG) Home Page: http://www.halcyon.com/spug/
More information about the spug-list
mailing list