Re: More CGI Comments

"James (Eric) Tilton" <jtilton@jupiter.willamette.edu>

Mail folder: WWW Talk Jan 94-present
Next message: James (Eric) Tilton: "HTML spec. questions"
Previous message: Peter Mueller: "question to mosaic word wrapping"
In-reply-to: Roy T. Fielding: "Re: More CGI Comments "

Date: Sat, 8 Jan 1994 14:55:26 -0800 (PST)
From: "James (Eric) Tilton" <jtilton@jupiter.willamette.edu>
Subject: Re: More CGI Comments 
To: www-talk@www0.cern.ch
In-reply-to: <9401081426.aa08569@paris.ics.uci.edu>
Message-id: <Pine.3.88.9401081416.A4979-0100000@jupiter>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Length: 2432

On Sat, 8 Jan 1994, Roy T. Fielding wrote:

> > 1) If you let users export information via their UserDir
> > (i.e., ~/public_html by default), how can you gracefully allow them to
> > create anything that requires a shell execution without giving everyone
> > write access to the cgi-bin directory or creating cgi aliases for all
> > users in srm.conf?
> >...

What we've done here at Willamette is to create a pair of local groups, 
one called "webmgr" and one called "webdev".  "webmgr" is for the few 
people trusted to work on the main trunk of our web (althought I'm pretty 
much the only one who uses it :) ), but "webdev" is for a group of 
students who want to collaboratively work on WWW projects.  "webdev" has 
been given an additional directory for developing their own scripts.  
Granted, this is a "human" solution rather then a technical solution, as
it still relies on giving access to those who are trusted -- it doesn't 
address giving every user access to this capability.

> Just prior to reading this I was looking at a local notice about login
> security.  Thus, my first thought was what would happen if some user
> created a script which deletes (recursively) all of the files in the
> invokers home directory.  Since the script would be executed under the
> server's user ID (I think), would the script then delete all of the
> server's subdirectories?
> 

On the NCSA httpd, at least, I beleive that if root is running the 
server, there's an option for the server to change it's UID.  Ours 
changes to "nobody", which means that the server really can't do much 
except read world-readable files.

However, this approach may not make sense for future development.  
Specifically, what about the eventual use of PUT and POST protocols for 
things like dynamic document generation?  It might be nice, for instance, 
to be able to edit a document that I've grabbed over the web, and use PUT 
to create a new revision for the changes I've made (shades of Xanadu!).  
Granted, this isn't immediately looming, but it wouldn't be implementable 
if the server can change the documents it has control over...

						-et

/ (James) Eric Tilton, Student AND Student Liaison, WITS               \
\ Class of '95 - CS/Hist  -- Internet - jtilton@willamette.edu         /
<a href="http://www.willamette.edu/~jtilton/">ObHyPlan!</a>, chock fulla
<a href="http://www.willamette.edu/~jtilton/whatsnew.html">Fun Stuff!</a>