Antonio Rodriguez wrote: > I noticed that when installing cgiemail it is set as owned by root, > same as other scripts simultaneously installed in /usr/lib/cgi-bin
> The danger of being root owned would be in the fact that it can > virtually do anything. no, it can't. If root owns an executable, and www-data runs it, it can only do what www-data can do. This is just the same as if you run /bin/cat, for example; although it's owned by root, it runs with your permissions, not root's; when you run it, it does not have permission to read or write any file like root does. e.g: $ cat /etc/shadow cat: /etc/shadow: Permission denied A special permission called "setuid" exists to make programs run as the owner of the executable instead of the user who's running them, but it is used as little as possible to prevent security holes due to bugs. for example, if you run as root: chmod +s /bin/cat then as non-root: cat /etc/shadow you will be able to read the /etc/shadow (shadow password file) although you don't normally have permission to! *** don't forget to remove this permission again (as root)! : chmod -s /bin/cat This setuid feature doesn't work for scripts (such as cgiemail), it only works for compiled executables. Apparently there is more of a security risk if scripts can be setuid, although I'm not quite sure why; so it's not permitted by the kernel at all. This is probably a lot more than you ever wanted to know about unix permissions :) Sam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
