On Sun, Mar 02, 2003 at 10:19:17AM -0500, Joel Gwynn wrote: > I'm more concerned about other pair users being able to access the file. > Currently, the file is stored above the document root, but it has to be > readable by the cgi script, hence the user nobody in group www.
Without help from a system administrator, the solution space is pretty thin. Obviously, when the server runs all CGIs as the same user and group, this effectively deprives CGIs of the standard Unix security features, at least with respect to other, untrusted CGIs on the same system. The clean and safe solution would be to run your own copy of the web server (if allowed) or configure the existing server for "suExec" (if supported). Barring those, the only solution I can think of is to write a setuid program owned by you that runs the "real" CGI script. However, you should be aware of the long history of security bugs affecting setuid programs written by competent programmers and the potential hole that this would open up to your account. See `perldoc perlsec` and especially the section "Security Bugs". (Note that suidperl may not be installed, as it has had some of the aforementioned bugs.) Even this solution will not work if, for example, the filesystem is configured to ignore the setuid bit. It is a question for the system administrator. -- John Tobey <[EMAIL PROTECTED]> \____^-^ /\ /\ _______________________________________________ Boston-pm mailing list [EMAIL PROTECTED] http://mail.pm.org/mailman/listinfo/boston-pm
