2011/2/3 Lluís Batlle i Rossell <[email protected]> > If you don't use a root account for your CGI, you can use a setuid program > for > it to have such access to your files. Something like this here explained, > but > applied to fossil: > http://vicerveza.homeunix.net/~viric/c<http://vicerveza.homeunix.net/%7Eviric/cgi-bin/offrss/doc/trunk/doc/cgi.wiki> >
Most web hosters typically run the apache processes as a particular user (e.g. "httpd" or "apache"), and that user will need access to the repo, as Lluís says. Some additionally run CGI scripts as the account holder (i.e. you), in which case you only need to be sure the fossil repo is writable by you (this is what my primary hoster does, much to my pleasant surprise). If the server is company-internal but you don't have root access to it, you might be able to convince the admins to add you to the www user's group, or create a new group and add both your account and the www-running account, and then you can make the repo group-writable, which will keep it safe from malicious users not in that group. Also note some Unix-like setups make /home/yourhome with mode 0700, meaning the other users (like the apache process) won't be able to see anything. If that's a problem in your case you'll need to get the admin to (chmod +rx) your home dir (non-root can't do it because /home itself is owned by root and not world-writable, so the OS won't let you change it w/o root accecss). setuid scripts are an option, but are an ugly ancient remnant of "more civilized times" and are generally frowned upon for security reasons. If i'm not mistaken (and i might be), recent Linux versions ignore the setuid bit (or only allow it on a configurable list of files). -- ----- stephan beal http://wanderinghorse.net/home/stephan/
_______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
