On Sunday, March 2, 2003, at 09:13 AM, Joel Gwynn wrote:
I've got a script which reads a config file to get a database username and
password, among other things. What should the permissions be so that the
cgi script running on the web server can read the file, but random users on
the system can't? Is this the best way for the script to get sensitive info
like that?
This is on pair.com, where the script runs as user nobody and group www.
The catch-22 is that even if other users on the system can't read the file directly, but the web server can (i.e., somehow you set the group association of the file to "www" of which *only* the web server is a member and the permissions are rw-r-----), other users on the system who can create CGIs to be executed by the web server could write a CGI script which runs as "nobody" in group "www". You can imagine where this leads.
Erik
-- Erik Price
email: [EMAIL PROTECTED] jabber: [EMAIL PROTECTED]
_______________________________________________ Boston-pm mailing list [EMAIL PROTECTED] http://mail.pm.org/mailman/listinfo/boston-pm
