Newbie CGI question

Andrew Pierce apierce at esc-NOSPAM-ape.com
Tue Nov 14 20:52:40 CET 2000


in article 3A10A6A6.BCDC160D at raqia.com, David Lees at
DavidL.no.non.nospammy at raqia.com wrote on 11/13/00 9:42 PM:
> I am trying to make my first CGI script work and am having a permissions
> problem on an apache server, RedHat 6.2.  I made sure the form.py test
> script copied from Programming With Python, by Altom (pages 181-182) has
> execution permission.  When I fill in the form under test and execute
> the Python code in the cgi-bin, I have permission errors when I try
> writing a file.  What is the standard way to handle this?  I thought
> that for security reasons the cgi-bin directory is root.   Is there a
> standard scratch area used for opens?

I ran into this too, but with Apache running under Unix.  The permissions
for cgi scripts (all interpreted cgi scripts, not just python) are set to
'nobody'.  There are a couple of workarounds:

The most common (best) is to write a "wrapper" program in a compiled
language like C that does nothing but set permissions appropriately and pass
control off to the interpreted program.  Such a prog could look like this:

#include <unistd.h>
int
main(int argc, char *argv[])
{
    argv[0] = "./python_prog_name_here.py";
    execv(argv[0], argv);
}

Compile this program, set the permissions on the compiled executable to 4755
and call the executable from your web page.  Your python script will then
run with root permissions.  Careful though.

Alternative method 1:
Change the permissions on the directory to which your script will write to
777 and run the script.  The script will be able to write files with
permissions of 'nobody'.  Then change the permissions on the directory back
to 711.  Your script (actually anybody's script) will be able to modify any
existing files in the directory (since the files are uid 'nobody' and so is
the script) but will not be able to create new files or list the directory.
This is kind of a hassle, and outsiders can corrupt your data if they want
to (and can figure out the file names), but it doesn't involve anything
having root permissions.

Alternative method 2: (don't do this -- very bad)
Change the permissions on the directory to which the script will write to
777 and leave them at 777.  I have seen this recommended in several cgi
books but it is a massive security problem.

     -Andy Pierce
(this kind of thing should be in the FAQ somewhere)





More information about the Python-list mailing list