On Tuesday, September 9, 2003, at 02:04 AM, Alejandro Chavarria - CyPage wrote:
Hey,I refer you to the answer I received from Drieux to (almost) exactly the same question.
I am writing a perl CGI script on a remote server that is supposed to do the
following:
1. Have the user sign in with a username and password.
2. Allow the user to add News Stories in which that input is taken and then
written to a text file (Which is as of this moment, set to chmod 777).
3. Allow the user to edit or delete the news added.
All of this works fine, but when I type in the address to the text file
where the news is stored, I can view it (Don't get me wrong, I know that
that's supposed to happen, 777 remember?). Does anyone know of a way, where
I can not allow ANYONE to view that text file, but still let the program
write to it?
Thanks
Alex
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
---Drieux's code---
#!/usr/bin/perl -w
use strict;
use Fcntl qw/O_CREAT O_RDWR O_EXCL O_RDONLY/;;
my $path = 'textfile.txt';
sysopen(HANDLE, $path, O_RDWR|O_CREAT|O_EXCL);
close(HANDLE);
my $cnt = chmod 0764, 'textfile.txt';
print "got $cnt\n";
---------What I think is happening (and I'm sure I'll be corrected if I'm wrong!) is that the server views your CGI as just another "visitor" so if you want your CDGI to be able to read from a file, then so can everyone else. In that case, the best you can do is remove write access unless the script is actually running. Not foolproof. If you use the above code to chmod to a writeable file, then the script dies before you get the chance to chmod it back again you are left with the original security issue until you either notice or the script runs successfully.
HTH
Dave
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
