W3C home > Mailing lists > Public > www-talk@w3.org > May to June 1995

Re: Private CGI-dir - a security risk

From: Gerald W. Edgar <gwe3409@drtn009.ca.boeing.com>
Date: Mon, 1 May 1995 14:51:09 -0700 (PDT)
Message-Id: <9505012156.AA21539@atc.boeing.com>
To: www-talk@www10.w3.org
Cc: wendy@drtn001.ca.boeing.com, cingalls@drtn001.ca.boeing.com

In one note  about CGI from Vidar Madsen a mension that a CGI may 
overwrite files that the "webmaster" account owns. This may include 
configuration files. 

There is a simple solution. Have the httpd run under a second 
userid/groupid. 

Permission could be given to read the configuration 
file, but since the daemon executes under another account
it would not have permission by default to destroy the files.

In this situation one must be careful to give appropriate 
permission to directories and files for public read and execute
permission only as needed. One must exercize caution in giving write 
privilages.

Gerald Edgar
"My opinions"
Received on Monday, 1 May 1995 18:13:41 UTC

This archive was generated by hypermail 2.4.0 : Monday, 20 January 2020 16:08:17 UTC