Re: cgiemail installs owned by root in /usr/lib/cgi-bin

To: debian-user@lists.debian.org
Subject: Re: cgiemail installs owned by root in /usr/lib/cgi-bin
From: Black Dew <bdew@bdew.yi.org>
Date: Mon, 29 Nov 2004 00:49:30 +0200
Message-id: <[🔎] r81q72-3si.ln1@bdew.yi.org>
In-reply-to: <35zWp-8eA-19@gated-at.bofh.it>
References: <[🔎] 20041128161704.GA18722@hpd.the-sphere.org>

Antonio Rodriguez wrote:

I noticed that when installing cgiemail it is set  as owned by root,
same as other scripts simultaneously installed in /usr/lib/cgi-bin
I figure this is right, I would be surprised if i were the first
finding a bug, but I don't see why it makes it safer than installing
it as owned by www-data:www-data. Can anyone answer this? Are all the
scripts here supposed to belong to root?


That prevents a compromised web server/script from overwriting some script.

Same is generally a good idea for anything that the web server needs toaccess but has no valid reason to modify.

Note that files can be either owned by root:whatever and be wordreadable (644) or owned by root:www-data and set group readable (640).Setting them owned by www-data:www-data with no write permisions (440)is useless as a compromised script can eassily chmod it to whatever itlikes.

Reply to:

Follow-Ups:
- Re: cgiemail installs owned by root in /usr/lib/cgi-bin
  - From: Antonio Rodriguez <arodriguez31@cfl.rr.com>

References:
- cgiemail installs owned by root in /usr/lib/cgi-bin
  - From: Antonio Rodriguez <arodriguez31@cfl.rr.com>

Prev by Date: Re: Floppy mount & unmount clarification please
Next by Date: Tedium of Network Settings
Previous by thread: cgiemail installs owned by root in /usr/lib/cgi-bin
Next by thread: Re: cgiemail installs owned by root in /usr/lib/cgi-bin
Index(es):
- Date
- Thread