[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: /usr/lib/cgi-bin ownerships and permissions

Colin Telmer writes:

 > My question pertains to dedicating a user to webmaster to allow the user
 > to create and maintain cgi scripts. 
 > First, do cgi scripts get run by www-data?

 Yes, they are run as the same user and group as the server, which you 
set in the configuration files under "/etc/apache".

 With Apache 1.2, there is a program called `suexec` (I think) that
lets CGI scripts run as the user that owns them.  There is also a
program out called `CGI-wrap`, that will do the similar thing.  You
can configure Apache to run cgi from anyplace you tell it; or any
executable with a certain extension, etc.  The documentation will tell
you a lot.

 > When apache (or I assume any web server following the new web standard) is
 > installed, it creates the directory /usr/lib/cgi-bin (if it wasn't there
 > already) with the directory cgi-bin belonging to root:root and permission
 > 755 (which is what the policy manual dictates).

 I like to set that directory ownership root.webmaste, and set the
permissions to u=rwx,g=rwxs,o=rx.  Then you just add whomever you like
to the webmaste group, and they have access then.  The SGID bit on the
directory ensures that all files they create will be owned by group

 Another thing you can do is set `htpasswd` to root.www-data,
u=rx,g=rxs,o=rx, so that when it creates a password file, it creates
it group owned by www-data.  The user can then `chmod u=rw,g=rw,o=`
the .htpasswd file, and nobody else on the system can grab it.  (I
think that a cgi script running as www-data could still get the
passwords, and that the `suexec` wrapper is meant to solve this sort
of thing.)

Karl M. Hegbloom <karlheg@inetarena.com>
Portland, OR  USA
Debian GNU 1.2  Linux 2.0.30t
You tell me and we'll both know.

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: