Re: Permissions for a cgi script

Any directory apache writes to, must be 777 (world-writable), since anyone in the world may be running the script. You could run apache with suexec. Place the script in /home/user/public_html/cgi-bin, then apache will run with the permissions of the owner of that home directory (usually 700). So how about making a user called 'backup' and run the script out of backup's homedir's cgi-bin? Then the httpd daemon will be able to make directories in backup's homedir.

If you want to make a new directory, completely owned by apache, you have to be root, then su to apache, then make the directory. Sudo may be able to do this, but it sounds risky if running thru cgi. Your best bet is to use "suexec". If you don't know how suexec works, just google for it. It comes with apache, and if it is found in the path when apache starts, it will automatically be enabled, and anything run in a home directory's public_html, will be run as "user::users", instead of "nobody::nogroup" (or other lowest permissions).

Most people who want to do something like this, would not use cgi, and would use SSH instead, which would be much more secure.

I'm not really a human, but I play one on earth. flash japh

Comment on Re: Permissions for a cgi script

Replies are listed 'Best First'.
Re^2: Permissions for a cgi script by eXile (Priest) on Apr 19, 2005 at 14:52 UTC
New directories can be made by apache if the user apache runs as, has the correct permissions to write to the directory (so 'rwx'), please read something like this doc on filepermissions for a brief review on unix file permissions. Using suEXEC is discouraged in the docs describing it, if you are not familiar with setuid scripts and such, so I wouldn't recommend that to somebody asking about filepermissions ....	[reply]
Re^3: Permissions for a cgi script by zentara (Cardinal) on Apr 19, 2005 at 18:20 UTC
*Using suEXEC is discouraged in the docs describing it*. I don't run a shared ISP, so I can't be absolutely positive, but it seems every Server account that I've ever had, used suexec. I get a public_html directory, and when I connect, I am running as the owner of that home directory. Now I must admit, that maybe they work some magic the "virtual hosts configuration", to let apache run as user in a homedir, without suexec, but it sure acts like suexec. This link shows apache running as zentara, not nobody. But in any event, trying to do backups to cd/dvd, through a cgi script is NOT a good idea. SSH should be used. Well maybe if he is using https with some sort of access restriction, he could get away with it. Since the OP is talking about sudo'ing to root, to make his cd's, he must have a dedicated remote server, so there should be no problem with him using ssh. I'm not really a human, but I play one on earth. flash japh	[reply]