Menu
▾
▴
Re: [Exist-development] [HEADS-UP] Merge in of Security Branch
|
From: Dmitriy S. <sha...@gm...> - 2012-02-08 12:06:33
|
On Wed, Feb 8, 2012 at 5:02 PM, Hungerburg <pc...@my...> wrote: > Am 2012-02-08 03:45, schrieb Joe Wicentowski: > > > > In hindsight I realize I was reading your advice below too literally. > > It makes sense that to "execute" a .xq via web browser, we need to not > > only make it "executable" but also "readable". > > > > Apologies if this is covered in basic unix permissions model, and > > apologies for my ignorance! > > In the unix model, scripts that are to be executed by an interpreter, > have to be both readable and executable by the user, while binaries, > that can be executed by the kernel directly only require execute > permission by the user. This difference does not make much sense in > eXist, does it? > > Requiring only exec permission for xquery procedures would allow to eg. > hardcode passwords in a script or use of some logic, that the executing > user must not learn. And after all, they are binaries in eXists native > object format, aren't they? > Yes, that is reason to keep it unreadable but executable. -- Dmitriy Shabanov |