Re: Yet Another Security Question

Hmmm. But if I am another user on this box, I can set up a cgi script to update this data, because my cgi script is also run by the server as nobody. Yes?

If you have root access or a friendly sysadmin, ask them to install cgiwrap. Then you can run scripts as yourself, and set datafile permissions to 600. The cobalt RaQ servers come with cgiwrap seamlessly installed (not a plug, have had both good and bad experiences with these).

Alternatively, you can set the effective uid of the script with chmod u+s (I'm sure there are tutorials - I'm a little fuzzy on this as I use cgiwrap). Or write a C wrapper for the script and suid that (more robust for scripts that use system or backticks I think - but again, I'm not sure about this either, so look around).

.02

cLive ;-)

Comment on Re: Yet Another Security Question

Replies are listed 'Best First'.
Re: Re: Yet Another Security Question by Aighearach (Initiate) on Jun 24, 2001 at 01:12 UTC
Depending on your security needs... running your script as your user account will expose your personal data if there is a security bug. And that could be bad... particularly if you are using private key authentication, or have sudo access to some parts of the system. Whereas, if the webserver is compromised, you're exposing everybody's web data, probably the ftp server also, but not much else. -- Snazzy tagline here	[reply]

Replies are listed 'Best First'.

Re: Re: Yet Another Security Question
by Aighearach (Initiate) on Jun 24, 2001 at 01:12 UTC

[reply]