[Previous] [Next] [Index]
[Thread]
Re: source code security
On Sat, 2 Dec 1995, Peter Henning wrote:
> one nice trick is to take away all "r" permissions on your cgi binaries.
> Most scripts just need world or group "x" permissions, and possibly owner
> "w" permissions so that you can recompile them from a safer directory
> elsewhere. That way, the scripts can run but even if they live somewhere
> inside your document root (not a wise idea)
Not true; "scripts" definitely cannot run without read permission. You
are conflating binaries with scripts, a common practice but an unsafe
one. A script cannot be run without read permission because it contains
code to be sent into an interpreter that has to be read at runtime. A C
binary on the other hand contains native machine code and can be
executed without read permissions.
Also on this topic, there have been server bugs/misfeatures in the past
that allowed people to retrieve CGI source code even if everything was
configured correctly. Caveat webmaster.
--
Paul Phillips | "Click _here_ if you do not
<URL:mailto:paulp@cerf.net> | have a graphical browser"
<URL:http://www.primus.com/staff/paulp/> | -- Canter and Siegel, on
<URL:pots://+1-619-558-3789/is/paul/there?> | their short-lived web site
References: