> > On Dec 8, 2003, at 3:15 PM, Dan Anderson wrote: > > > > > I have a perl script that writes to its directory, and as such > > the directory is CHMOD 777 in my cgi-bin. (Linux box) I figured this > > might be dangerous, but didn't think there was any harm in it. Am I > > right or will the script kiddies be all over me? > > remember the basic permission issues, > that final 7 is the killer, it will allow > anyone who can get to it to 'write' to it. >
Which I think might need to be clarified a bit... Anyone that "can get to it" implies local server access rather than simply a web browser anywhere in the world. > Which would allow them to install anything > in that directory that they would want to > install, and then call it... > Again "installing" has a bigger definition than merely writing a file into a directory, but regardless the web server still has to have the ability to do this "installing" or to provide access to "write" a file into an arbitrary location (*and* with proper executable permissions so that it will execute). > general practice is maybe 755 for a > cgi bin directory since there really is > no gooder reason for group to have 'write' > access to the directory. > Having clarified that, the security risk of *just* having a 777 directory is not as many elsewhere would have you think, it is still not good practice. There are times I think when having group write permission on a directory is a conscious decision, but it *needs* to be (a conscious decision), before one applies said permissions. This is where we get into the domain of "best practices" in order to reduce vulnerability rather than absolute musts to insure even minimal security. Of course all of this hinges on the server software and configuration thereof. If your server software allows PUT request methods then all bets are off.... http://danconia.org -- Boycott the Sugar Bowl! You couldn't pay me to watch that game. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
