[plug] Perl CGI scripts
Buddrige, David
David.Buddrige at mitswa.com.au
Wed Nov 4 11:33:36 WST 1998
The bit that I wrote was "I would normally use chmod a+x sample.pl which
gives executable access to everyone (but no other access is
granted)..."... I think this was not clear because the ">"s in my email
got mucked up... I agree - I would bever use chmod 777 either...
regards
David Buddrige
Software Engineer
MITS Pty. Ltd.
david.buddrige at mitswa.com.au
> Are you fscking nuts??? 777 on a CGI script????? Actually, 777 on
> anything!
>
> Remind yourself that anyone in the world can execute that program for
> you
> - how would you like it if some user can along and modified it? Also,
> while I'm as big an enemy of security through obscurity as anyone, CGI
> programs are the one area where it has *some* legitimacy. You don't
> want
> people to know your potential weakness in any situation, when anyone
> in
> the world can execute something on your box then you want to keep
> these
> even closer to your chest.
>
> My advice for CGI scripts is to have them owned by the user who wrote
> them
> but in the group "nogroup" (assuming your httpd runs with this egid).
> You
> can then set the permissions as such:
>
> chmod 710 <filename>
>
> That is, rwx for the user (so they can easily modify it without su-ing
> to
> root), execute permission for nogroup (ie your web server, although
> you
> *might* need read permission also for Perl/bash scripts etc. Not
> positive
> about this - test it) and no one else (ie ordinary users on your
> system)
> can look at it. A second advantage of giving access to the httpd
> through
> it's gid and not uid is that if you have a bad CGI script somewhere
> which
> someone exploits then your CGI script can't be deleted/modified as
> would
> be possible if it's owned by nobody.
>
> Regards,
>
> Christian.
>
More information about the plug
mailing list