Re: source code security

• To: www-security@ns2.rutgers.edu
• Subject: Re: source code security
• From: Paul Phillips <paulp@cerf.net>
• Date: Sat, 2 Dec 1995 09:31:07 -0800 (PST)
• cc: Peter Henning <wizard@electric.co.za>
• In-Reply-To: <Pine.LNX.3.91.951202110401.21101B-100000@wildcat.electric.co.za>

On Sat, 2 Dec 1995, Peter Henning wrote:

> one nice trick is to take away all "r" permissions on your cgi binaries. 
> Most scripts just need world or group "x" permissions, and possibly owner 
> "w" permissions so that you can recompile them from a safer directory 
> elsewhere. That way, the scripts can run but even if they live somewhere 
> inside your document root (not a wise idea)

Not true; "scripts" definitely cannot run without read permission.  You 
are conflating binaries with scripts, a common practice but an unsafe 
one.  A script cannot be run without read permission because it contains 
code to be sent into an interpreter that has to be read at runtime.  A C 
binary on the other hand contains native machine code and can be 
executed without read permissions.

Also on this topic, there have been server bugs/misfeatures in the past 
that allowed people to retrieve CGI source code even if everything was 
configured correctly.  Caveat webmaster.

--
Paul Phillips                                 | "Click _here_ if you do not
<URL:mailto:paulp@cerf.net>                   |  have a graphical browser"
<URL:http://www.primus.com/staff/paulp/>      |  -- Canter and Siegel, on
<URL:pots://+1-619-558-3789/is/paul/there?>   |  their short-lived web site

• Re: source code security
• From: Peter Henning <wizard@electric.co.za>

• Previous: Re: source code security
• Next: Re: cgi communication
• Index(es):
  • Index
  • Thread