W3C home > Mailing lists > Public > www-talk@w3.org > May to June 1996

Re[2]: creating a mSQL database with a www cgi

From: Jason T Vincent <Jason.T.Vincent@jpl.nasa.gov>
Date: 10 May 1996 15:00:39 -0700
Message-Id: <0237E3193BC870DA*/c=us/admd=telemail/prmd=nasa/o=jpl/ou=ccmail/s=Vincent/g=Jason/i=T/@MHS>
To: "www-talk@w3.org" <www-talk@w3.org> (Return requested), "A.Aitken@unl.ac.uk" <A.Aitken@unl.ac.uk> (Return requested)

     I've tried the idea of creating a directory owned by 'nobody' in my 
     web pages at my college.  My friends (which have way too much free 
     time) wrote their own cgi's and was able to edit that directory.  It 
     was ok for those pages, but these are government pages, they must be 
     as secure as possible.  Can this still be done if the directory is 
     secured with a .htaccess file????
     
     
     Jason
     jason.t.vincent@jpl.nasa.gov


______________________________ Reply Separator _________________________________
Subject: Re: creating a mSQL database with a www cgi
Author:  A.Aitken@unl.ac.uk at Internet
Date:    5/10/96 1:55 AM


Quoth Kee Hinckley:
>At 4:43 PM  -0400 5/9/96, Jason T Vincent wrote: 
>>     Hey all,
>>
>>     I can create a database in MSQL by running  a perl cgi from the
>>     command line, but once I try to run the cgi through netscape it does 
>>     not create the database.  My guess is that it is not being created 
>>     because the server thinks that user 'nobody' is trying to create the
>>     database.  Is there a way to do this without creating a huge security 
>>     hole?
>
>I'd recommend running your server as somebody.  Anytime you've got a server 
>that is going to be creating and/or modifying the system I think it's safer 
>to make it an actual user than make everything world-writable.  It's 
>certainly far more manageable.
     
I definitely would not recommend running the server as somebody.  It isn't 
necessary and if the server is somebody it is less not more secure.  Why 
not create a directory for the database to be created and give that 
directory to nobody.  That is what I do.  No suid or sgid scripts and only 
one place where the server can read and write.
     
Alastair Aitken http://www.unl.ac.uk/~alastair mailto:a.aitken@unl.ac.uk
Received on Friday, 10 May 1996 18:05:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:19 GMT