On Mon, Jun 18, 2007 at 07:57:50AM -0700, David Newman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 6/18/07 4:01 AM, Nick Holland wrote:
>
> >> I plan to implement cgi.
> >
> > which means you probably (though not certainly) have an app which
> > requires the ability to write to files. If that is true, that means
> > you have negated at least some of the benefit of chrooting. You may
> > have to pull some tools into the chroot, that will also negate more
> > of the benefit of chrooting. At some point, you may do enough
> > damage to the chroot idea, it might not be worth fighting with
> > anymore.
>
> A related question from a cgi newbie: What are the best practices for
> writing responses to a form to a file within the chroot?
>
> I pulled just enough of perl into the chroot for a script to work, and
> write to a file in /var/www/tmp with permissions of 0640 and owner:group
> of www:bin.
>
> Anything else?
The group doesn't make sense. Otherwise, sounds good, just be sure to
use appropriate locking to prevent two instances trying to update the
file at the same time, and switch to something faster when load
increases. You're not likely to need it, but some form of database -
Berkeley DB, SQLite, PostgreSQL, or whatever - would be better suited for
concurrent updates.
Joachim
--
TFMotD: bs (6) - battleships game
