Help with CGI

SittingDuck, that is true ONLY if your webserver is not running as the same user that owns the files on your web page, then, based on what you are doing, your permissions may have to be a little more open, but only then (for example, if you allow your local users to have their own web pages off of the server under ~username, then the owner would be the user, not your web user, then you would either have to set them in the same group as the web process (for the group privelages), or set the permissions on the web page files to allow other access, which leads to the 744 or 711.

/nebulus

Ok I had a think about this. I belive there are a few security problems that can be avided by NOT having the webserver run as the same user the owner as the files. Let me explain

If the owner of the files and the web server are the same then the you will need file setting of a minimun of 700 so the owner can edit and view them. What would be the point if they where set to 400 or 100(for a script file) or 500 as you would have to change the file permission every time you wished to edit the file.

So lets assume that you are running at 700, when someone connects to the webserver to view a page the webserver gets the page for them. This means any attacks via the web server will execicute with the privilages of the user the server is running as. this would mean that the attack could have full control of the files.

If you run the web server as a different user and the permissions are set as I have sugessted you don't this problem as the webserver has not right to change the file.

Just a little note, script file eg CGI, php, asp cfm etc etc the server that is accessing them should only have execute rights eg 1, there is not need for the server to read the file. Doing it this way will prevent any source code discloser(sp?).

For a static page the sever should onlt be able to read it.


If you are on a test setup at home and you are the only person who can see it, then does it really matter what the file perssion are?

SittingDuck

Normally this would be true and under most normal circumstances, running the web server and having the web pages being served owned by the same is not very feasible; however, as an aside, I guess I haven't really had to worry about this cause I run the pages off of its own seperate partition that is mounted read only...kind of taken care of by default, but point taken :)

/nebulus