* Jeff MacDonald <[EMAIL PROTECTED]> [000114 14:07] wrote:
> alfred, that seems like a very reasonable solution,
>
> in regard to the other chaps responce, i'm not worried
> about web users anyway, cause they can't see the perl
> source. it's users on the system i'd like to protect
> against.
I'm not sure what you mean, but there is a problem, unless you
execute the scripts as a user other than the default cgi user then
you may run into problems because then people can craft a cgi and
run it through the server to gain access to the 700 dir, you'll
either need some sort of setuid (to a special user, not root) or
use some sort of cgiwrapper.
-Alfred
>
> On Fri, 14 Jan 2000, Alfred Perlstein wrote:
>
> > * Jeff MacDonald <[EMAIL PROTECTED]> [000114 13:38] wrote:
> > > hey folks,
> > >
> > > this is a security issue i'd like to get some info
> > > on, i'm sure it's more with cgi than postgres, but
> > > heck.
> > >
> > > issue: how to secure cgi's that access postgres
> > >
> > > problem: passwords for postgres database are stored
> > > in plain text in scripts. (lets assume, perl,
> > > not a compiled language)
> > >
> > > points:
> > > make cgi dir 711
> > > big deal, they can get the name of the file
> > > from the web, and copy it.
> >
> > how about sourcing a conf file that's in a 700 dir?
> >
> > >
> > > set an obscure cgi script alias in apache
> > > big deal, they can read the cgi conf file.
> > >
> > > this is assuming they already have an account
> > > on the machine, something that cannot be ruled
> > > out.
> > >
> > > question in short: how to make perl accessing databases
> > > more secure, so any jack can't modify a database.
> > >
> > > thanks in advance.
> > >
> > > Jeff MacDonald
> > > [EMAIL PROTECTED]
> > >
> >
> > --
> > -Alfred Perlstein - [[EMAIL PROTECTED]|[EMAIL PROTECTED]]
> >
>
> Jeff MacDonald
> [EMAIL PROTECTED]
>
> ===================================================================
> So long as the Universe had a beginning, we can suppose it had a
> creator, but if the Universe is completly self contained , having
> no boundry or edge, it would neither be created nor destroyed
> It would simply be.
> ===================================================================
>
--
-Alfred Perlstein - [[EMAIL PROTECTED]|[EMAIL PROTECTED]]
************
