Re: Data Security in Perl

Are you worried that people access the data from a web browser, or a local user accessing it via the filesystem? .htaccess can help with blocking browser access to directories, but unless users need to access their files directly (and not through the database or scripts), you could just move the whole directory tree outside the docroot for the server. Then it will not be accessible at all via a browser.

If it's filesystem access you're worried about, just chown the whole tree to apache, and chmod it 700 - then apache (and any scripts it runs) can read and write to the tree, but no local users (unless they hack apache) will have access to it.

-- Dan

Comment on Re: Data Security in Perl

Replies are listed 'Best First'.
Re: Re: Data Security in Perl by Anonymous Monk on Sep 04, 2002 at 11:42 UTC
Thanks for that Dan. Im worried about the data being accessed from the browser. Basically, I am a simple user on an ISP (supanames). I have cgi-bin access and can run scripts off their server. They tell me that any files I make from a script are created as the owner "nobody". Is this their fault? That's a great idea with chmod 700, but if the owner is nobody I can't do anything and apparently (gotta ask ISP more) but i cant do a chown command unless i am root user. I'll try the 700 thing=)) thanks, Adam	[reply]
Re: Re: Re: Data Security in Perl by ichimunki (Priest) on Sep 04, 2002 at 19:27 UTC
Yes, this is "their fault". It's a poor design on a shared host since, as you're finding, as it causes users to have to do strange things WRT permissions. It can also make it a royal pain to delete those files, since they will normally be chmod'ed 644 and chown'ed to nobody. Then you have to run a CGI script to chmod them to 666 so your user account can delete them (since CGI runs as nobody it is the only user level account that has write access to these files). If time/money/whatever aren't an issue, you might shop for a new ISP who runs Apache CGI as the actual user instead of nobody. This protects your data both from external browser viewers as well as other users on your shared host. The suggestion about storing these files outside the docroot for your CGI/web directory is also a good one, otherwise anyone who can guess the URL can see these files unless you take pains to change the permissions to something like 600. FWIW, I would be just as paranoid about access by other users of the shared host as I would by the web at large. Unless you know all those people, you have no idea what they'll do with the data in your directories.	[reply]