in reply to CGI Script Created Files Playing Nicely

Your best option is to use a real database like MySQL... but I realize this is not always an option... the problem is that your file is not world writable, you are correct in that, and that it is not often good to make files such as these world writable... the directory is bad enough... the best option is too just get everything to run under the same user... this may mean you need to use suid... which can also be a problem.

I keep thinking more and more of writing a C wrapper for taking care of these situations... somewhat... wish I had more time.
                - Ant

  • Comment on Re: CGI Script Created Files Playing Nicely

Replies are listed 'Best First'.
Re: Re: CGI Script Created Files Playing Nicely
by feloniousMonk (Pilgrim) on Apr 27, 2001 at 00:03 UTC
    --
    I have my 2c to put in too...
    If the folder has perms of 777 AND is executable by Apache
    (or whatever webserver for that matter)
    such as a text file in a cgi-bin for example
    you can have a major problem crop up. If executable folder
    has world-writeable files or the folder itself is
    world-writeable you can have yourself a major security
    violation.

    I had a similar mailing list situation and have since
    migrated to MySQL (less headache than PostgreSQL), but
    we have that luxury 'cuz my web server is less than
    50 feet away :-)

    --
    felonious
[reply]

      I have my 2c to put in too... If the folder has perms of 777 AND is executable by Apache (or whatever webserver for that matter) such as a text file in a cgi-bin for example you can have a major problem crop up. If executable folder has world-writeable files or the folder itself is world-writeable you can have yourself a major security violation.

      no no no no non nononononnoononnononono

      naw. the files are not in the cgi dir, they're just in a directory other than under the public_html directory, I see your point though, that would be clearly shooting yourself in the foot. I generally don't like the idea of having the dir at 777. the server i use runs SuEXEC, so the dir is set to something like 755, and my files are created with 0660, so i have less worries :)

      An SQl based solution would be nice, but that would hurt portability quite a bit for this project and add complexity I don't, well want :)

       

      -justin simoni
      !skazat!

[reply]
        --
        Portability - if you do lock into a database do you need
        to maybe switch DB platforms at a later time? If so,
        and you still want a database (I know, more complexity,
        but may be worth it in the long run. Not as bad as one
        may think, believe it or not)
        do you know about the Perl DBI? It's a database interface
        with DBD's (Database Driver) for just about any database
        you may come up against. Also has ODBC drivers, if you
        want that functionality.

        If you want an almost-database check out Data::Dumper
        or Freeze Thaw. Maybe not the best soltuiotn for you
        but may be worth a look.

        Hope I've helped,
        felonious
[reply]
Re: Re: CGI Script Created Files Playing Nicely
by skazat (Chaplain) on Apr 27, 2001 at 00:49 UTC

    which can also be a problem.

    I've never created a suid script, but does the script need anything special, such as having the -T flag always set? I think i need to give it some work to make it run in taint mode (most of the common foibles are already delt with, just swaeting the little stuff), but that's a good idea. I'll have to play around with that, I don't think suid scripts are allowed to be run on my server, since we're using the SuExec way. always an option for someone else though.

     

    -justin simoni
    !skazat!

[reply]

In Section Seekers of Perl Wisdom