no setuid for CGI scripts?
sholden at holdenweb.com
Thu Nov 8 13:39:56 CET 2001
"pawn" <NOSpawnPAM at lightspawn.org> wrote in message
news:4b4c5d99.0111080405.77c024a2 at posting.google.com...
> My CGI scripts save information submitted by users in files, and later
> display this information inside HTML templates.
> It seems to me that either I find a way to let these scripts run with
> my UID, or, in order to let them read / write files in the data
> directory, I have to make it world-writable which means malicious
> users on the same system can delete files, as well as create files
> which were not processed by the CGI's policies.
> Is there something I'm missing here? *Can* I get by without setuid?
Had you considered mailing the form to a Python program on some other
machine? Or using an FTP client to provide an authenticated connection to
your server filestore?
Both solutions are gash, but this is the kind of thing you end up doing when
you don't have full access to your server environment.
More information about the Python-list