[SuSE Linux] CGI file open/create problem
Hi! I have a have problem that I heard have to do with the Apache webserver, but the voice never said anything about to solve it... to be able to access, open/read/create a text (data) file I have to chmod the directory to 777, which is not so good, but otherwise it just don't work to use the open command in a perl cgi script. Someone know how to get around this? 766 or even 666 should be enough, if not 644... but that might is just for the file. Also I notice that a file created by open is given ownership to user "wwwrun" and group is "nogroup", is this correct? Have tried to figure this out but with no success. Joakim - To get out of this list, please send email to majordomo@suse.com with this text in its body: unsubscribe suse-linux-e
Joakim Schramm wrote:
Hi! I have a have problem that I heard have to do with the Apache webserver, but the voice never said anything about to solve it... to be able to access, open/read/create a text (data) file I have to chmod the directory to 777, which is not so good, but otherwise it just don't work to use the open command in a perl cgi script.
Someone know how to get around this? 766 or even 666 should be enough, if not 644... but that might is just for the file.
Also I notice that a file created by open is given ownership to user "wwwrun" and group is "nogroup", is this correct?
Have tried to figure this out but with no success.
I don't run an online server, but practice and learn offline with apache and cgi. As far as I know, it is best to have wwwrun and nogroup own everything, even the cgi-bin. Then set the cgi-bin priviledges to read,write,and execute by owner, which is wwwrun, and no priviledges for anyone else. I have run practice flat-file databases this way, and wwwrun creates the database.txt files just fine in cgi-bin. wwwrun owns the file. - To get out of this list, please send email to majordomo@suse.com with this text in its body: unsubscribe suse-linux-e
Joakim Schramm wrote:
Hi! I have a have problem that I heard have to do with the Apache webserver, but the voice never said anything about to solve it... to be able to access, open/read/create a text (data) file I have to chmod the directory to 777, which is not so good, but otherwise it just don't work to use the open command in a perl cgi script.
Someone know how to get around this? 766 or even 666 should be enough, if not 644... but that might is just for the file.
Also I notice that a file created by open is given ownership to user "wwwrun" and group is "nogroup", is this correct?
Have tried to figure this out but with no success.
When you make an interpreter, or anything running on a web server, being able to open file you have to face security problem. That's why the web server is running as user nobody. CGI programs always run as the same user that owns the Apache server process. This is set with the User directive in the config file. In most cases this is fine since CGI scripts should run with few privilegs to limit any potential malicious damage to the system. There are a number of utilities to make CGI scripts run setuid to a user other than the owner of the server process. As far as I know these utilities work by having a small 'wrapper' that is itself a setuid CGI program, that then invokes the "non-setuid" CGI program itself. There is another possibility which I prefer: 1- Use Perl as an Apache module, you will have better performance. 2- Set up one more web server listening to a different port than the main web server. The main web server run with 'nobody' privileges while the secondary web server run as user xxx group xxx. Then allow the secondary web server to accept connections only from the main web server. Furthermore use the ProxyPass directive which "allows remote servers to be mapped into the space of the local server". Use something like ProxyPass /SCRIPT <A HREF="http://your_server:$port/SCRIPT"><A HREF="http://your_server:$port/SCRIPT</A">http://your_server:$port/SCRIPT</A</A>> This will cause a local request for the <A HREF="http://your_server/SCRIPT/your_script"><A HREF="http://your_server/SCRIPT/your_script</A">http://your_server/SCRIPT/your_script</A</A>> to be internally converted into a proxy request to the secondary web server on port $port. You can put all the data in a directory owned by user xxx group xxx which can be accessed only by the secondary web server. Maurizio - To get out of this list, please send email to majordomo@suse.com with this text in its body: unsubscribe suse-linux-e
participants (3)
-
josch@ns.humanet.se -
paspartu@uni.net -
zentara@mindspring.com