- From: Jason T Vincent <Jason.T.Vincent@jpl.nasa.gov>
- Date: 10 May 1996 15:00:39 -0700
- To: "www-talk@w3.org" <www-talk@w3.org> (Return requested), "A.Aitken@unl.ac.uk" <A.Aitken@unl.ac.uk> (Return requested)
I've tried the idea of creating a directory owned by 'nobody' in my
web pages at my college. My friends (which have way too much free
time) wrote their own cgi's and was able to edit that directory. It
was ok for those pages, but these are government pages, they must be
as secure as possible. Can this still be done if the directory is
secured with a .htaccess file????
Jason
jason.t.vincent@jpl.nasa.gov
______________________________ Reply Separator _________________________________
Subject: Re: creating a mSQL database with a www cgi
Author: A.Aitken@unl.ac.uk at Internet
Date: 5/10/96 1:55 AM
Quoth Kee Hinckley:
>At 4:43 PM -0400 5/9/96, Jason T Vincent wrote:
>> Hey all,
>>
>> I can create a database in MSQL by running a perl cgi from the
>> command line, but once I try to run the cgi through netscape it does
>> not create the database. My guess is that it is not being created
>> because the server thinks that user 'nobody' is trying to create the
>> database. Is there a way to do this without creating a huge security
>> hole?
>
>I'd recommend running your server as somebody. Anytime you've got a server
>that is going to be creating and/or modifying the system I think it's safer
>to make it an actual user than make everything world-writable. It's
>certainly far more manageable.
I definitely would not recommend running the server as somebody. It isn't
necessary and if the server is somebody it is less not more secure. Why
not create a directory for the database to be created and give that
directory to nobody. That is what I do. No suid or sgid scripts and only
one place where the server can read and write.
Alastair Aitken http://www.unl.ac.uk/~alastair mailto:a.aitken@unl.ac.uk
Received on Friday, 10 May 1996 18:05:14 UTC