[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cgi security - how to protect the data?



On Fri, 18 Apr 1997, Ronell (Ron) Elkayam wrote:

> We're running a cgi form and the contents are stored on the cgi-server
> shell account.  Is there a way to hide the contents of the cgi script
> itself so local shell users won't be able to simply look at the file,
> figure out where the data files are, and mess up the data?
> 
> I *must* give everyone both read and execute permissions on the cgi
> script, and write permission on the actual data files.  I could hide the
> data files in an unreadable directory, but again, anyone with a
> cgi-account here could still read the cgi script and find out where the
> data is...

not a question for the tech list really...
a cgi is usually run as the UID of the server on the machine, which would
be "nobody", and not root, so noone need to be able to read the files or
execute the script other than nobody. just change the ownership and
modifiers to 700.


   -------------------------------------------------------------
   Ira Abramov          <ira@scso.com>        Scalable Solutions
   POBox 3600, Jerusalem 91035, Israel       Tel (972)2-642-6822
   http://www.scso.com/~ira   Check out: http://www.linux.org.il


Follow-Ups: