Unable to execute the script

Hans Mulder hansmu at xs4all.nl
Sat Aug 11 08:59:11 CEST 2012


On 11/08/12 00:48:38, Dennis Lee Bieber wrote:
> On Fri, 10 Aug 2012 12:35:06 -0700, Smaran Harihar
> <smaran.harihar at gmail.com> declaimed the following in
> gmane.comp.python.general:
> 
>> Hi Tim,
>>
>> this is the output for the ls -lsF filename
>>
>> 8 -rwxr-xr-x 1 root root 5227 Jul 30 13:54 iplantgeo_cgi.py*
>>
> 	<shudder>
> 
> 	A CGI script owned by root?

Why not?

It's not setuid, so being owned by root does not give it
any special privileges.

> What "user" does your web server run as?
> I'd recommend setting that user as the owner of the CGI script.

That's definitely a bad idea.  More so if it's writeable by its
owner, as is the case here.  It would mean that if a security
hole allows intruders to write to arbitrary files, then they
can overwrite this script and that would allow them to execute
arbitrary code.

-- HansM



More information about the Python-list mailing list