-=| glaskoncILLa, Wed, Jun 30, 2010 at 12:18:09AM +0200 |=-
> On 06/29/2010 11:34 PM, Damyan Ivanov wrote:
>> -=| glaskoncILLa, Tue, Jun 29, 2010 at 10:37:39PM +0200 |=-
>>
>>> Example from my testing VM;
>>>
>>> -rwxr--r-- 1 root root 2211 Jun 14 20:09
>>> /usr/share/gestioip/index.cgi
>>>
>>> pointing browser on http://127.0.0.1/gestioip/index.cgi results with;
>>>
>>> tail -n 2 /var/log/apache2/error.log
>>> [Tue Jun 29 21:56:01 2010] [error] (13)Permission denied: exec of
>>> '/usr/share/gestioip/index.cgi' failed
>>> [Tue Jun 29 21:56:01 2010] [error] [client 127.0.0.1] Premature end of
>>> script headers: index.cgi, referer: http://127.0.0.1/gestioip/index.cgi
>>>
>>> well, I think is obvious what is the issue here, root:root doesnt seems
>>> as best choice.
>>>
>> root:root is fine. You just need to allow execution for everybody.
>> Change the permissions to 0755 (-rwxr-xr-x) and see if it helps.
>>
> It does, I have already done my first beta version like that, but actual
> question here is do I really want to give execute permission to
> everybody?
> Well, ok, everybody dont have write permissions, but isnt it better to
> limit permissions only on Apache user on 0500 or 0700, or something like
> root:www-data 0750 (ok, that can also include several users)?
It depends from whom you want to protect yourself. If the CGI is
accessible by people on the Internet, then restricting local users
gives you nothing - they could just run the CGI via their browser.
> I supose someone can use some security hole in Apache and do
> something bad but still its only one user, instead of n possible
> ones..
> So, from your expirience, whats the best pratice?
What you must not do is make the cgi writable by the apache user. If
you do, a breach into some apache script would allow attackers to
replace your cgi.
> And, if changing ownership is a option, is /usr/share/PACKAGE the
> best/allowed place for something like that?
I haven't read the webapp policy, but the regular policy states:
11.5. Web servers and applications
----------------------------------
This section describes the locations and URLs that should be
used by all web servers and web applications in the Debian
system.
1. Cgi-bin executable files are installed in the directory
/usr/lib/cgi-bin/<cgi-bin-name>
and should be referred to as
http://localhost/cgi-bin/<cgi-bin-name>
> I'm sory to bother you but I really want to do this as best as possible
> and I'm asking it on perl mailing list because web apps policy refers to
> perl policy for perl web apps and one guy from web reccomended this
> mailing list.
CGI scripts implemented in Perl are like any other CGI script. If you
use mod_perl, then things are different.
HTH,
dam
Attachment:
signature.asc
Description: Digital signature