Here's the situation: I have a Perl CGI script which references a file. The second file contains a password.
The password is required to access the database which is used by the CGI application I'm writing.
Now the Perl CGI file definitely has to be readable and executable by the webserver. What about the file with the password? It should also be readable by the webserver daemon.
Problem is that anyone else whose scripts run on the same server can simply cat the file using their own CGI scripts and se ethe passwords etc.
So how is this fixed?
Sometime on Mar 16, Satya assembled some asciibets to say:
Now the Perl CGI file definitely has to be readable and executable by the webserver. What about the file with the password? It should also be readable by the webserver daemon.
no it doesn't. if you're running under suexec (and you should), then it only needs to be readable by you, not by the world. in that case, the script runs as you, and the password file also needs to be readable only by you.
philip
On Mar 17, 2002 at 14:10, Philip S Tellis wrote:
no it doesn't. if you're running under suexec (and you should), then it only needs to be readable by you, not by the world. in that case, the script runs as you, and the password file also needs to be readable only
Exactly what I need, thanks. I've got it all up and running, upgrading Apache in the process. I hope I haven't opened any new holes.
-
Philip S Tellis -
Satya