W3C home > Mailing lists > Public > www-talk@w3.org > May to June 1996

Re: creating a mSQL database with a www cgi

From: ALASTAIR AITKEN CLMS <A.Aitken@unl.ac.uk>
Date: Fri, 10 May 1996 09:42:15 +0000 (GMT)
To: www-talk@w3.org
Message-Id: <01I4JBBW981G9YCVNX@grid.unl.ac.uk>
Quoth Kee Hinckley:
>At 4:43 PM  -0400 5/9/96, Jason T Vincent wrote:
>>     Hey all,
>>
>>     I can create a database in MSQL by running  a perl cgi from the
>>     command line, but once I try to run the cgi through netscape it does
>>     not create the database.  My guess is that it is not being created
>>     because the server thinks that user 'nobody' is trying to create the
>>     database.  Is there a way to do this without creating a huge security
>>     hole?
>
>I'd recommend running your server as somebody.  Anytime you've got a server
>that is going to be creating and/or modifying the system I think it's safer
>to make it an actual user than make everything world-writable.  It's
>certainly far more manageable.

I definitely would not recommend running the server as somebody.  It isn't
necessary and if the server is somebody it is less not more secure.  Why
not create a directory for the database to be created and give that
directory to nobody.  That is what I do.  No suid or sgid scripts and only
one place where the server can read and write.

Alastair Aitken http://www.unl.ac.uk/~alastair mailto:a.aitken@unl.ac.uk
Received on Friday, 10 May 1996 04:42:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:19 GMT