Apache usually runs as the user 'nobody', although I've also seen it runs as 'www-user' on some systems. Either way, these are very low-privilege accounts, for security purposes. You don't want a buggy cgi script to clobber files in actual user directories. So if you have a cgi script that needs to write files, you'll need to create a directory that 'nobody' can write to. As root, you'd do something like this:
mkdir mydata
chown nobody:nobody mydata
chmod 755 mydata
But now, if you login as user 'larry', you won't have permission to modify those files (they're read only) If you're the web admin and need to, for example, delete them, what do you do? You have several options:
- Write a cleanup script, and run it as a cgi script, too. You'll want this in a password protected area, so only the web admin can run it. It will do the cleanup then print an "all done" message. Since it will run as user 'nobody', it can modify, delete, etc. files owned by nobody. This works, but I don't really like this option.
- You can create a suid script. This is a wrapper script that runs your cleanup script as some other user, in this case, 'nobody'. Sometimes admins create suid scripts for trusted users that allow them to do certain things as user 'root'. This saves them having to ask the admin to do it for them every time, and it's more secure than actually giving them a root login. But in general suid scripts are considered a potential security risk. In your case, you'd actually be demoting a regular user (larry) to a non-privileged user (nobody) - so I think your risk is minimal. But you'll need someone with root login to setup the suid script for you, initially.
- You could also create a group, called, for example, web-admin. Then add users nobody and larry to the web-admin group. Then make sure that all the files nobody writes have group read/write permission (chmod 775). Then larry can edit nobody's files, because they are in the same group. If other people need access, just add them to the group. I like this solution the best. But you'll need root login to manage the group setup.
- One last option: avoid file I/O completely, and use a database instead (like mysql or sqlite). A cgi script can use the DBI module to connect to the database and read/write, and then later 'larry' (or any other user) can connect using a database client tool and do whatever. You can handle read/write access within the database then, using, for example, the GRANT command in mysql.
I hope this helps - good luck!
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.