On Mon, Nov 29, 2004 at 12:49:30AM +0200, Black Dew wrote: > Antonio Rodriguez wrote: > >I noticed that when installing cgiemail it is set as owned by root, > >same as other scripts simultaneously installed in /usr/lib/cgi-bin > >I figure this is right, I would be surprised if i were the first > >finding a bug, but I don't see why it makes it safer than installing > >it as owned by www-data:www-data. Can anyone answer this? Are all the > >scripts here supposed to belong to root? > > That prevents a compromised web server/script from overwriting some script. > > Same is generally a good idea for anything that the web server needs to > access but has no valid reason to modify. > > Note that files can be either owned by root:whatever and be word > readable (644) or owned by root:www-data and set group readable (640). > Setting them owned by www-data:www-data with no write permisions (440) > is useless as a compromised script can eassily chmod it to whatever it > likes. >
Thank you for your explanation. I had just read some comments in the metafaq for cgi by Lincoln Stein, see http://www.w3.org/Security/Faq/wwwsf4.html question 20 before installing cgiemail and ls-ing cgi-bin .... I wrote below a few statements about the logic for being root owned. Any comments are welcome. The danger of being root owned would be in the fact that it can virtually do anything. If the script does only useful/good/harmless things then it doesn't matter who executes it. To modify it to make it do bad/harmful things, the black/brown hat hacker would need to have write permissions over the script. This means the (b/b)hh would have to be root. But then the (b/b)hh would not need the script. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
