On 06/29/2010 11:34 PM, Damyan Ivanov wrote:
It does, I have already done my first beta version like that, but actual question here is do I really want to give execute permission to everybody? Well, ok, everybody dont have write permissions, but isnt it better to limit permissions only on Apache user on 0500 or 0700, or something like root:www-data 0750 (ok, that can also include several users)?-=| glaskoncILLa, Tue, Jun 29, 2010 at 10:37:39PM +0200 |=-Example from my testing VM; -rwxr--r-- 1 root root 2211 Jun 14 20:09 /usr/share/gestioip/index.cgi pointing browser on http://127.0.0.1/gestioip/index.cgi results with; tail -n 2 /var/log/apache2/error.log [Tue Jun 29 21:56:01 2010] [error] (13)Permission denied: exec of '/usr/share/gestioip/index.cgi' failed [Tue Jun 29 21:56:01 2010] [error] [client 127.0.0.1] Premature end of script headers: index.cgi, referer: http://127.0.0.1/gestioip/index.cgi well, I think is obvious what is the issue here, root:root doesnt seems as best choice.root:root is fine. You just need to allow execution for everybody. Change the permissions to 0755 (-rwxr-xr-x) and see if it helps.
I supose someone can use some security hole in Apache and do something bad but still its only one user, instead of n possible ones..
So, from your expirience, whats the best pratice?And, if changing ownership is a option, is /usr/share/PACKAGE the best/allowed place for something like that?
I'm sory to bother you but I really want to do this as best as possible and I'm asking it on perl mailing list because web apps policy refers to perl policy for perl web apps and one guy from web reccomended this mailing list.
Thx. Nenad