httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kirk Bailey <idi...@netzero.net>
Subject Re: [users@httpd] CGI File Permissions...(not trivial question)
Date Tue, 14 Oct 2003 04:05:50 GMT
needs to be readable by ann and sundry, executable alone is not enough. Try 755. 
Also, what identity is apache running as? Nornmally, it is 'nobody'. If the 
first suggestion barks like a dog, try changing ownership to 'nobody:nobody'.
755 is really the permission of preference. ALs, check the cgi-bin directory's 
permissions and ownerships!

David A. Gershman wrote:

> Hello,
> 
>   I've searched and searched with no prevail for an answer.  Yes, my
> question is on CGI script file permissions, but it is not a trivial one.
> 
> Background:
> 
>   * apache 1.3.28 running as user 'apache' and group 'apache'
>   * web docs and cgis owned as user 'www' and group 'www'.
>   * 'apache' is a member of group 'www'
> 
> My Goal:
> 
>   To avoid modification of CGIs in the event of a web server exploit,
> the CGIs are owned by 'www', but *should* be allowed to run via proper
> file permissions.
> 
> I have the following script:
> #!/usr/bin/perl
> print "Content-type: text/plain\n\n";
> print `id`;
> 
> It is owned by 'www' as the following:
> -rwxr-x---    1 www      www           144 Oct 13 11:40 index.pl*
> 
> If I log in as 'apache' I can successfully run this script (since
> 'apache' is a member of 'www' ).  However, when I try and run the script
> from the web, I get a Forbidden message with the log file saying:
> 
>    file permissions deny server execution: /var/www/cgi-bin/index.pl
> 
> Notice the perms are 750.  When I change them to 755, the script runs
> fine with the following output:
> 
> uid=503(apache) gid=503(apache)groups=503(apache), 504(www)
> 
> 
> As you can see, apache *is* in the 'www' group even according to the
> script, but when the file permissions do *not* allow "other", the script
> cannot be run.
> 
> FYI, I have normal .html files setup the same way: owned by 'www'/'www'
> and chmod 640.  They're displayed via the web just fine.
> 
> Question: Why won't the script run with restricted permissions?  If this
> is some sort of security feature...why?  What risk am I not seeing???
> 
> Thanks.
> 
> --
> David A. Gershman
> ETC Sys Admin
> gershman@etc.rsc.raytheon.com
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> 

-- 

-- 

end

Cheers!
         Kirk D Bailey

  +                              think                                +
   http://www.howlermonkey.net  +-----+        http://www.tinylist.org
   http://www.listville.net     | BOX |  http://www.sacredelectron.org
   Thou art free"-ERIS          +-----+     'Got a light?'-Prometheus
  +                              kniht                                +

Fnord.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message