[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: cgi in webb apps location

On 06/29/2010 11:34 PM, Damyan Ivanov wrote:
-=| glaskoncILLa, Tue, Jun 29, 2010 at 10:37:39PM +0200 |=-
Example from my testing VM;

-rwxr--r-- 1 root root  2211 Jun 14 20:09

pointing browser on results with;

tail -n 2 /var/log/apache2/error.log
[Tue Jun 29 21:56:01 2010] [error] (13)Permission denied: exec of
'/usr/share/gestioip/index.cgi' failed
[Tue Jun 29 21:56:01 2010] [error] [client] Premature end of
script headers: index.cgi, referer:

well, I think is obvious what is the issue here, root:root doesnt seems
as best choice.
root:root is fine. You just need to allow execution for everybody.
Change the permissions to 0755 (-rwxr-xr-x) and see if it helps.
It does, I have already done my first beta version like that, but actual question here is do I really want to give execute permission to everybody? Well, ok, everybody dont have write permissions, but isnt it better to limit permissions only on Apache user on 0500 or 0700, or something like root:www-data 0750 (ok, that can also include several users)?

I supose someone can use some security hole in Apache and do something bad but still its only one user, instead of n possible ones..
So, from your expirience, whats the best pratice?

And, if changing ownership is a option, is /usr/share/PACKAGE the best/allowed place for something like that?

I'm sory to bother you but I really want to do this as best as possible and I'm asking it on perl mailing list because web apps policy refers to perl policy for perl web apps and one guy from web reccomended this mailing list.



Reply to: