Skip to main content.
home | support | download

Back to List Archive

Re: CGI script to build Swish-E (without command

From: Kurtis D. Rader <krader(at)not-real.aracnet.com>
Date: Tue Oct 08 2002 - 08:59:36 GMT
On Mon, 2002-10-07 00:18:42, SRE wrote:
> At 07:49 PM 10/6/02, Bill Moseley wrote:
> >You would not want to do chmod 777 on a shared server.
> 
> Not for long, anyway.

Not for one second.

> >I would want to check the UID of the executing script which I'd hope
> >would be your UID, which would be the case if you are running in a
> >suexec-type of CGI environment.  If it's not then it really is time to
> >look for a new ISP.
> 
> We kicked this around before. The benefits and cost of my ISP outweigh
> this little limitation (for which there are workarounds) and the user
> community there is such that trusting them is reasonable.
> 
> I came up with a general solution that should work anywhere...  and lots
> of folks are going to have different user or group IDs when they create a
> file with FTP vs. when they create from a CGI script. That's the reason
> for the wide-open protection...  I have the right to chmod but not to
> chown, and I don't own the files or directories the CGI script creates.
> 
> Sigh. Life is a compromise!
> 
> But what do you think of the concept, even if it needs tweaking?

While I applaud your inventiveness at dealing with the limitations of
your environment it is a solution that should not be used by anyone. The
security implications are downright scary. Sorry, but I have to vote
"no" on the question of including this information in the standard
distribution.  I agree with Mr. Mosley. You should change ISPs or host
the web site yourself.
Received on Tue Oct 8 09:03:30 2002