I noticed that when installing cgiemail it is set as owned by root, same as other scripts simultaneously installed in /usr/lib/cgi-bin I figure this is right, I would be surprised if i were the first finding a bug, but I don't see why it makes it safer than installing it as owned by www-data:www-data. Can anyone answer this? Are all the scripts here supposed to belong to root?
That prevents a compromised web server/script from overwriting some script.
Same is generally a good idea for anything that the web server needs to access but has no valid reason to modify.
Note that files can be either owned by root:whatever and be word readable (644) or owned by root:www-data and set group readable (640).
Setting them owned by www-data:www-data with no write permisions (440) is useless as a compromised script can eassily chmod it to whatever it likes.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
