[plug] Perl CGI scripts

Buddrige, David David.Buddrige at mitswa.com.au
Wed Nov 4 11:33:36 WST 1998


The bit that I wrote was "I would normally use chmod a+x sample.pl which
gives executable access to everyone (but no other access is
granted)..."... I think this was not clear because the ">"s in my email
got mucked up... I agree - I would bever use chmod 777 either...

regards

David Buddrige
Software Engineer
MITS Pty. Ltd.
david.buddrige at mitswa.com.au


> Are you fscking nuts???  777 on a CGI script?????  Actually, 777 on
> anything!
> 
> Remind yourself that anyone in the world can execute that program for
> you
> - how would you like it if some user can along and modified it?  Also,
> while I'm as big an enemy of security through obscurity as anyone, CGI
> programs are the one area where it has *some* legitimacy.  You don't
> want
> people to know your potential weakness in any situation, when anyone
> in
> the world can execute something on your box then you want to keep
> these
> even closer to your chest.
> 
> My advice for CGI scripts is to have them owned by the user who wrote
> them
> but in the group "nogroup" (assuming your httpd runs with this egid).
> You
> can then set the permissions as such:
> 
> chmod 710 <filename>
> 
> That is, rwx for the user (so they can easily modify it without su-ing
> to
> root), execute permission for nogroup (ie your web server, although
> you
> *might* need read permission also for Perl/bash scripts etc.  Not
> positive
> about this - test it) and no one else (ie ordinary users on your
> system)
> can look at it.  A second advantage of giving access to the httpd
> through
> it's gid and not uid is that if you have a bad CGI script somewhere
> which
> someone exploits then your CGI script can't be deleted/modified as
> would
> be possible if it's owned by nobody.
> 
> Regards,
> 
> Christian.
> 


More information about the plug mailing list