security violation
[1/5] from: gchiu::compkarori::co::nz at: 21-Dec-2000 16:41
I'm running a script in my cgi bin directory. The header
is:
#!/path/to/rebol --cgi -s
but when my script attempts a write a new txt file to the
cgi-bin directory, I get:
REBOL - Security Violation
How can I write to my cgi-bin?
--
Graham Chiu
[2/5] from: kevin:sunshinecable at: 20-Dec-2000 21:21
On Thu, 21 Dec 2000, Graham Chiu wrote:
> I'm running a script in my cgi bin directory. The header
> is:
<<quoted lines omitted: 3>>
> REBOL - Security Violation
> How can I write to my cgi-bin?
Assuming it's a Unix webserver...
The webserver typically runs as user 'nobody' (or some other virtual user
ID) with minimal permissions. One of the things 'nobody' can do is read
and execute programs in your cgi-bin... but cannot write there.
Imagine if someone was able to arbitrarily write some code to the cgi-bin
as 'nobody' and then have the webserver execute it.
What you should do is create a data directory somewhere else in your home
directory (preferably *above* the directory the webserver uses as root, so
that your data can't be retrieved via the webserver by some unscrupulous
user) and give that directory read/write permissions for user 'nobody'.
You could also create a sub-directory under your cgi-bin for the data, but
you'd want to make sure that files in that directory were *not*
executable for the same reason as not putting the data directly in the
cgi-bin.
Best regards,
Kev
[3/5] from: jeff:rebol at: 20-Dec-2000 21:30
Howdy, Graham:
> I'm running a script in my cgi bin directory. The header
> is:
>
> #!/path/to/rebol --cgi -s
Try: rebol -cs
?
-jeff
[4/5] from: gchiu:compkarori at: 21-Dec-2000 21:03
On Wed, 20 Dec 2000 21:30:41 -0800
[jeff--rebol--net] wrote:
> > I'm running a script in my cgi bin directory. The
> header
> > is:
> >
> > #!/path/to/rebol --cgi -s
>
> Try: rebol -cs
Thanks, that worked.
--
Graham Chiu
[5/5] from: gchiu:compkarori at: 21-Dec-2000 21:06
On Wed, 20 Dec 2000 21:21:59 -0800 (PST)
Kevin McKinnon <[kevin--sunshinecable--com]> wrote:
> The webserver typically runs as user 'nobody' (or some
> other virtual user
> ID) with minimal permissions. One of the things 'nobody'
> can do is read
> and execute programs in your cgi-bin... but cannot write
> there.
But my Perl scripts can write to my cgi-bin directory.
Rebol -cs does the trick
> What you should do is create a data directory somewhere
> else in your home
<<quoted lines omitted: 4>>
> user) and give that directory read/write permissions for
> user 'nobody'.
That's a thought. I was wondering where I could put data
that I didn't want in my cgi-bin directory. I'll give that
a go.
Thanks,
--
Graham Chiu
Notes
- Quoted lines have been omitted from some messages.
View the message alone to see the lines that have been omitted