Colin Telmer writes: > My question pertains to dedicating a user to webmaster to allow the user > to create and maintain cgi scripts. > > First, do cgi scripts get run by www-data?
Yes, they are run as the same user and group as the server, which you set in the configuration files under "/etc/apache". With Apache 1.2, there is a program called `suexec` (I think) that lets CGI scripts run as the user that owns them. There is also a program out called `CGI-wrap`, that will do the similar thing. You can configure Apache to run cgi from anyplace you tell it; or any executable with a certain extension, etc. The documentation will tell you a lot. > When apache (or I assume any web server following the new web standard) is > installed, it creates the directory /usr/lib/cgi-bin (if it wasn't there > already) with the directory cgi-bin belonging to root:root and permission > 755 (which is what the policy manual dictates). I like to set that directory ownership root.webmaste, and set the permissions to u=rwx,g=rwxs,o=rx. Then you just add whomever you like to the webmaste group, and they have access then. The SGID bit on the directory ensures that all files they create will be owned by group webmaste. Another thing you can do is set `htpasswd` to root.www-data, u=rx,g=rxs,o=rx, so that when it creates a password file, it creates it group owned by www-data. The user can then `chmod u=rw,g=rw,o=` the .htpasswd file, and nobody else on the system can grab it. (I think that a cgi script running as www-data could still get the passwords, and that the `suexec` wrapper is meant to solve this sort of thing.) -- Karl M. Hegbloom <[EMAIL PROTECTED]> http://www.inetarena.com/~karlheg Portland, OR USA Debian GNU 1.2 Linux 2.0.30t You tell me and we'll both know. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
