Re: Yet Another Security Question

You don't need world writable directories.

(I'm assuming *nix here)

You need the directories to be writable by the webserver, which is usually the user called "nobody".

What I like to do is to set the group ownership to nobody, then set them user and group writable.

update: you might not be able to set group ownership to nobody if you're not root. If this is the case, you will have to ask your sysadmin to do it. (there is probably no workaround)
--
Snazzy tagline here

Comment on Re: Yet Another Security Question

Replies are listed 'Best First'.
Re: Yet Another Security Question by cLive ;-) (Prior) on Jun 24, 2001 at 01:03 UTC
Hmmm. But if I am another user on this box, I can set up a cgi script to update this data, because my cgi script is also run by the server as nobody. Yes? If you have root access or a friendly sysadmin, ask them to install cgiwrap. Then you can run scripts as yourself, and set datafile permissions to 600. The cobalt RaQ servers come with cgiwrap seamlessly installed (not a plug, have had both good and bad experiences with these). Alternatively, you can set the effective uid of the script with chmod u+s (I'm sure there are tutorials - I'm a little fuzzy on this as I use cgiwrap). Or write a C wrapper for the script and suid that (more robust for scripts that use system or backticks I think - but again, I'm not sure about this either, so look around). .02 cLive ;-)	[reply]
Re: Re: Yet Another Security Question by Aighearach (Initiate) on Jun 24, 2001 at 01:12 UTC
Depending on your security needs... running your script as your user account will expose your personal data if there is a security bug. And that could be bad... particularly if you are using private key authentication, or have sudo access to some parts of the system. Whereas, if the webserver is compromised, you're exposing everybody's web data, probably the ftp server also, but not much else. -- Snazzy tagline here	[reply]
Re: Re: Yet Another Security Question by Graham (Deacon) on Jun 24, 2001 at 01:01 UTC
Aighearach is correct. Generally you can only set the group ownership if you are a member of the new group to which you are changing or root under *nix	[reply]