[plug] Perl CGI scripts

[Christian]

On Wed, 4 Nov 1998, Buddrige, David wrote:

> 
> > > Also remember to do a chmod to make the script executable
> > > 
> > > [mortimer at proxy mortimer]$ chmod 777 sample.pl
> > 
> > I would normally use chmod a+x sample.pl which gives executable access
> > to everyone (but no other access is granted)...


Are you fscking nuts???  777 on a CGI script?????  Actually, 777 on
anything!

Remind yourself that anyone in the world can execute that program for you
- how would you like it if some user can along and modified it?  Also,
while I'm as big an enemy of security through obscurity as anyone, CGI
programs are the one area where it has *some* legitimacy.  You don't want
people to know your potential weakness in any situation, when anyone in
the world can execute something on your box then you want to keep these
even closer to your chest.

My advice for CGI scripts is to have them owned by the user who wrote them
but in the group "nogroup" (assuming your httpd runs with this egid).  You
can then set the permissions as such:

chmod 710 <filename>

That is, rwx for the user (so they can easily modify it without su-ing to
root), execute permission for nogroup (ie your web server, although you
*might* need read permission also for Perl/bash scripts etc.  Not positive
about this - test it) and no one else (ie ordinary users on your system)
can look at it.  A second advantage of giving access to the httpd through
it's gid and not uid is that if you have a bad CGI script somewhere which
someone exploits then your CGI script can't be deleted/modified as would
be possible if it's owned by nobody.

Regards,

Christian.