On Thu, Jan 17, 2002 at 03:00:16PM +0530, Aditya Gilra wrote: > If a client opens my site and AppServer isn't running, WebKit.cgi should > start it. i.e I want WebKit.cgi to start up the appserver if it's not running > already from just a client request and without my intervention. If it's > already running it should connect to it normally. > > Which user will AppServer run as in this case, if it's possible?
The same user the CGI script is running as. Normally, that would be 'nobody' or a special low-privilege account. However, since this is a multiuser site for ISP customers, perhaps each user's CGI scripts run as that user. > I'll need to > give all users write access to the Webware install directory. Why? > Will this create security problems? Anybody who can write to a file can change its meaning. If the ISP's other users can write to your Webware scripts, they can screw up your application. If a web user finds a way to list your Webware scripts and write to them, he can make you execute anything he likes. He may do it through your servlet if he finds a security hole, or through an unrelated non-Webware CGI script that happens to grant him write access to your files. Many web applications need write access to certain data files and/or directories. That doesn't mean they should have write access to the program scripts themselves or to Webware. When you said you're giving write access to the Webware install *directory*, you didn't specify whether users would have write access to the *files* in the directory. If users have write access to the directory but not to certain files, they will be able to create/rename/delete files but not to modify them in place. I suppose that's little comfort, since somebody can delete a file and then create his own file with the same name. -- -Mike (Iron) Orr, [EMAIL PROTECTED] (if mail problems: [EMAIL PROTECTED]) http://iron.cx/ English * Esperanto * Russkiy * Deutsch * Espan~ol _______________________________________________ Webware-discuss mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-discuss
