[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: chgrp and not being in the group

To: Peter Galbavy <Peter.Galbavy@knowledge.com>, tech@openbsd.org
Subject: Re: chgrp and not being in the group
From: chuck <chuck@Yerkes.com>
Date: Tue, 30 Nov 1999 22:02:37 -0800
Mail-Followup-To: Peter Galbavy <Peter.Galbavy@knowledge.com>,tech@openbsd.org
References: <19991130161547.B28109@office.knowledge.com>

You know, I have a small server for a couple people that I know
and trust.  And I still audit all the CGI scripts going in.
And I'm STUNNED at the scripts that I find that put KEY information
into the FORM that calls the CGI-script.  So "datafile" is defined
as being /PATH/file.  'course, using a different form let's me
see/modify other files.

Those scripts get fixed.

Basically, if you want users to have their own cgi, then run
them AS the user, not as the web server's id.  It limits the
damage to that which THEY can read/write.  That's good.

As for chgrp, I create a shell script that does something (perhaps it's
just a copy of /bin/sh), I set it GID, I give it away to group www.  I
run it.  Now I'm in www.  We don't want that.

Oh yeah, group quotas.  Really nice feature of 4.4 (I like telling
WWWGroupA that I don't care WHO's taking up the space, they are over
quota.

Quoting Peter Galbavy (Peter.Galbavy@knowledge.com):
> This may be a matter of POSIX, but the bhaviour of chgrp doesn't seem
> justified to me. Flame welcome.
> 
> man chgrp:

Next by Date: Re: scsictl
Next by thread: Re: scsictl
Index(es):
- Date
- Thread