Hi John, Thanks, On 14-02-06 03:49 PM, John Andersen wrote:
On 2/6/2014 12:34 PM, Ted Byers wrote:
Hi John,
On 14-02-06 03:23 PM, John Andersen wrote:
On 2/6/2014 12:01 PM, Ted Byers wrote:
After creating /srv/www/htdocs/misc, I applied 'chrgp www /srv/www/htdocs/misc' and 'chmod 755 /srv/www/htdocs/misc'. I do not know if there is a better option. But what is critical is that Apache can serve the PDF my script has created. Is Apache running as www, or is it running as "nobody"?
In uid.conf, I see the User is set to wwwrun and the Group is www. I would assume, then, that it is running as wwwrun. Is that correct, or does that reveal my ignorance of the linux world. ;-) Well (off the top of my head): if user wwwrun is a member of www, then it restricted to the group permission in that directory, which in your case is read execute.
You need to write in that subdirectory (to create a subdirectory or a file). So it would EITHER need to OWN /srv/www/htdocs/misc, or the Group www would need write authority to that directory. (775) Thanks. Using chmod 775 addressed the proximate problem.
Someone more accustomed to managing web servers than I could probably recommend best practices.
While my immediate problem is solved, I eagerly await advice on best practices.
Does the owner and group assigned to the cgi scripts matter? They are all set to root/root, I assume because I had to sudo cp them from my working directory to /srv/www/cgi-bin. I would assume (hope) that they're executed as whatever user Apache runs as, though, and that the ownership affects only the ability to edit them, because it would be really bad if they ran as root (though it seems to be mostly working, and this machine is a workstation that is not accessible to the outside world). If that is wrong, then tell me how to fix that.
Thanks
Ted I'm not an expert of this, just going by the symptoms you posted.
Presumably your cgi scripts are executable by wwwrun (or anyone), (and not suid root). but as long as you can execute them as wwwrun that should work, and they should run as the userid that invoked them.
If they did suid root, that can only be by evil magic in the behaviour of the web server that I haven't read about, as I would never do such a thing (deliberately) within my code. As a couple colleagues have had their servers hacked, I have been increasingly paranoid about writing my code in such a manner as to make my web app that is hard to hack. Thanks again, Ted -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org