no setuid for CGI scripts?
pawn
NOSpawnPAM at lightspawn.org
Thu Nov 8 07:05:04 EST 2001
My CGI scripts save information submitted by users in files, and later
display this information inside HTML templates.
It seems to me that either I find a way to let these scripts run with
my UID, or, in order to let them read / write files in the data
directory, I have to make it world-writable which means malicious
users on the same system can delete files, as well as create files
which were not processed by the CGI's policies.
Is there something I'm missing here? *Can* I get by without setuid?
"Leeuw van der, Tim" <tim.leeuwvander at nl.unisys.com> wrote in message news:<mailman.1004997611.31394.python-list at python.org>...
> SETUID - scripts are usually disallowed for security - reasons. If there's a
> script, be it python, perl, shell or whatever, that can be run setuid, the
> interpreter can generally be coaxed into running arbitrary code. Not
> something you want. Therefore, a lot of unices disallow it.
> I believe that there is a special setuid - perl.
>
> Do you really *need* setuid? Is there no other way to achieve what you need
> to do?
More information about the Python-list
mailing list