Re: Private CGI-dir - a security risk from Gerald W. Edgar on 1995-05-01 (www-talk@w3.org from May to June 1995)

From: Gerald W. Edgar <gwe3409@drtn009.ca.boeing.com>
Date: Mon, 1 May 1995 14:51:09 -0700 (PDT)
To: www-talk@www10.w3.org
Cc: wendy@drtn001.ca.boeing.com, cingalls@drtn001.ca.boeing.com
Message-Id: <9505012156.AA21539@atc.boeing.com>

In one note  about CGI from Vidar Madsen a mension that a CGI may 
overwrite files that the "webmaster" account owns. This may include 
configuration files. 

There is a simple solution. Have the httpd run under a second 
userid/groupid. 

Permission could be given to read the configuration 
file, but since the daemon executes under another account
it would not have permission by default to destroy the files.

In this situation one must be careful to give appropriate 
permission to directories and files for public read and execute
permission only as needed. One must exercize caution in giving write 
privilages.

Gerald Edgar
"My opinions"

Received on Monday, 1 May 1995 18:13:41 UTC