On Tue, 9 Sep 2003 05:57:44 +0000 [EMAIL PROTECTED] (Greenhalgh David) wrote:
> > On Tuesday, September 9, 2003, at 02:04 AM, Alejandro Chavarria - > CyPage wrote: > if you want your CDGI to be able to read from a file, then so can > everyone else. In that case, the best you can do is remove write > access unless the script is actually running. Not foolproof. If you > use the above code to chmod to a writeable file, then the script dies > before you get the chance to chmod it back again you are left with the > > original security issue until you either notice or the script runs > successfully. Am I missing some operating system specific undertones here? As far as I know, if you set your permission properly in the first place, then only the users that you allow to view a file can view a file. If you want them to write to it, allow them to write to it. Likewise for execution. Let's say that the user 'httpd' is running my webserver. This means that any file created by the server is automatically owned by 'httpd'. The default for file creation by any user is 664 (-rw-rw-r--), so a file create by 'httpd' will be CHMOD to 664 automatically. What we should do is have files created as the less social 644; the webserver can then read and write to it; only the group (any other users in the 'httpd' group) and the rest of the world can view it but not write to it. Hope that helps, GL -- Gavin Laking - Web Development Daemon http://www.gavinlaking.co.uk/ -- -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
