Re: Apache+cgi problem

Hi Monks, I have finished a cgi script and tested in on the command line. Then I put it into the cgi-bin on my web server, set the permissions to 755 owner root.

You should not let cgi scripts be owned by root. Chown nobody:nobody script. I like chicken.

Comment on Re: Apache+cgi problem

Replies are listed 'Best First'.
Re: Re: Apache+cgi problem by IlyaM (Parson) on Feb 17, 2002 at 18:17 UTC
This is very bad advice. Two rules of good security: No files should be owned by nobody. This UID is used by many daemons. If they are compromised then those files can overwriten which can help attacker to gain more access to the system. root as owner of cgi script is fine (or any other UID != UID under which Apache runs). This ensures that if either Apache or cgi script is compromised cgi script itself cannot be modified by attacker. The only problem with root as owner of cgi script is that it forces to use root account to update those files. It is better to use another account for this task. -- Ilya Martynov (http://martynov.org/)	[reply]

Replies are listed 'Best First'.

Re: Re: Apache+cgi problem
by IlyaM (Parson) on Feb 17, 2002 at 18:17 UTC

very

No files should be owned by nobody. This UID is used by many daemons. If they are compromised then those files can overwriten which can help attacker to gain more access to the system.
root as owner of cgi script is fine (or any other UID != UID under which Apache runs). This ensures that if either Apache or cgi script is compromised cgi script itself cannot be modified by attacker. The only problem with root as owner of cgi script is that it forces to use root account to update those files. It is better to use another account for this task.

--
Ilya Martynov (http://martynov.org/)

[reply]