If you mean classic FTP, yes this is a huge security risk because the password is sent in plaintext over the wire. Nobody should be using classic FTP for anything unless there is no other option. The alternatives are ftps (SSL+classic FTP) or sftp (SSH with file-transfer subsystem). Everyone should be using sftp, and ideally connecting with an authorized_key instead of a password.

If you trust them enough to let them run scripts on the server, then presumably you trust them enough to also log into the server as the Plesk website user. In that case you can just configure sftp for that user so that they are pushing files to "sftp://website-user@webhost/htdocs/cgi" or something like that. SSH has various directory permissions that must be maintained for that to work, but should be doable. The files will arrive as the correct user, so no changes are needed to Apache.

My preferred CGI design is to have one user or group owning the files and a *different* user lacking any write permission executing the files. See if Plesk will let you configure it that way. (I've never used Plesk)

Keep in mind that you need to trust this user to also be cgi-savvy and not open any security holes of their own! The old CGI pattern of doing things where a directory contains a mixture of code and static content and is writable as the user executing the script has a long track record of vulnerabilities. There's a reason everyone moved to application frameworks deployed in containers from version control.

In reply to Re: [OT] FTP user permissions by NERDVANA
in thread [OT] FTP user permissions by Bod

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.