Re: More CGI Comments

rhb@hotsand.att.com

Mail folder: WWW Talk Jan 94-present
Next message: Timo Harmo - SocSci U of Helsinki" : "WWW as a seminar-environment"
Previous message: James (Eric) Tilton: "HTML spec. questions"
Maybe in reply to: rhb@hotsand.att.com: "More CGI Comments"
Reply: Robert S. Thau: "More CGI Comments"

From: rhb@hotsand.att.com
Date: Sat, 8 Jan 94 20:27:36 EST
Original-From: hotsand!rhb (Rich Brandwein)
Message-id: <9401090127.AA28418@hotsand.dacsand>
To: www-talk@library.ucsf.edu
Subject: Re: More CGI Comments
Content-Length: 2437

Robert S. Thau writes:
> 
> The main problem with any such scheme is security. For all sorts of
> reasons, it's a bad idea to let The Outside World (including potential
> attackers) read the code of your scripts.  In order to prevent this, at
> least around here, it's *not* enough to prevent the server from tossing
> files which appear to be scripts over the wall --- script code appears in
> emacs backup and auto-save files as well, and so, to be thorough, I wound
> up preventing the export of those.  The trouble is that it's hard to tell
> when to stop --- scripts may eventually get patched, for instance; do we
> ban retrieval of '*.orig'?
> 
> What might be safer is to have each directory contain either scripts or
> files, but not both --- files could not be retrieved at all from a scripts
> directory.  This would also get rid of the suffixes, which some people find
> objectionable (even though most Web servers already use dot-suffixes to
> determine a file's MIME type).  However, this does represent a real loss in
> flexibility for the server maintainer as compared to the suffix hack.

All my scripts have a #! notation at the top.  I would think looking
for any files of this type would indicate scripts (though this may
be unmanageable/inefficient).  In any case, it's not clear to me that
looking through old versions of scripts that may exist in a directory
is particularly dangerous (especially if, as you say, they are are typically
saved with a common suffix). 

By default, many systems don't allow read access to "world" in the umask.  If 
you run the server as "nogroup" you would thus need to "make public" each
file after you've written them.  Even if this isn't the case, you can do 
things like set emacs to backup files to a mask that prevents group/world
read.  BTW, some previous random tests have found that
about 80% of all Plexus based servers out there have their scripts wide open and readable
by just knowing a common place to look for them (this may have changed, though).
In general, I actually prefer this since it makes it easier to share scripts
(though I agree it is dangerous).

Even if we assume that we segregate scripts into seperate 
directories for users, we can't let all the users use the same bin
directory for scripts (one possible solution is assuming
by default in the httpd server a public_html/cgi-bin directory for add-on users...?).

> 
> Any comments?
> 
> rst
> 

Rich