On Fri, Jul 12, 2002 at 05:14:43PM -0700, jeff wrote:
> The CGIwrap error msg when you forget to set the execute permissions always
> tells you "file is not chmod 755" or something to that effect. That is
> crazy if it's wrapped. Isn't CGIwrap about security? It should say "the
> owner execute bit is not set, at a minimum it should be chmod 700"
1) it not need to be even 700
- it should be at least 500 for script files (i.e. php/perl)
- and it can be 100 for binary executable programs
then "a minimum it should be chmod 700" is not true;
2) CGIwrap is not for learning security, and user can use
any mode for his files. Setting 755 mode would not stop
scripts from running when admin stop wrapping scripts with cgiwrap.
There is no direct security problem with 755 mode for scripts
assuming that script is wrapped or is configured (in httpd.conf)
for execution only.
For multiuser server with shell access,
one can use setfacl for securing his public_html/WWW directory better:
chmod 700 ~ ~/WWW/
setfacl -r -m user:www:--x ~;
setfacl -r -m user:www:r-x ~/WWW/
where ~/WWW/ is his public html directory, and 'www' is a name
of the web server user.
Best regards,
--
Piotr Klaban
|
