ddarby14 has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monks - I'm setting up access for a Perl contractor to help out with the work load and concerned about security and what he has access to. Playing the deviant, I plugged an OPEN command to read a root-owned file in a root-owned directory elsewhere on the server and surprised to see that it didn't give me a script error - instead it printed out the file as requested.

Does it make sense that a script running with these permissions, as this apache user should be able to run an OPEN command to read a root-owned file or directory?

Our Apache 2 server has a test domain with setup as:

SuexecUserGroup        xuser xgroup

The script and it's directory both have permissions as 0755, xuser, xgroup.

I appreciate your time and insight to sort this out. Thx!

Replies are listed 'Best First'.
Re: Perl Security
by jasonk (Parson) on Feb 06, 2009 at 02:17 UTC

    root-owned doesn't mean anything. If the permissions on the file allow it to be read, then it will be read.

    Also, this is an Apache question, or possibly a file permissions question, it isn't even remotely a perl question.

    www.jasonkohles.com
    We're not surrounded, we're in a target-rich environment!
[reply]
Re: Perl Security
by jethro (Monsignor) on Feb 06, 2009 at 04:04 UTC

    Don't look at the permissions of the script, check the permissions of the file you tried to open. If this file has its read-permission for 'other' (i.e. everyone) set then everyone can read the file.

[reply]

Back to Seekers of Perl Wisdom