Thanks Joost, The *.webwhackers scenario sounds like the best idea. I've never been that clear on sgid but your response forced me to read the manual :) on it and then put it to use.
Ken Joost Kooij wrote: > > On Tue, Jul 24, 2001 at 03:13:25PM -0400, Ken Januski wrote: > > What I'm trying to find out is if root.root is a good idea? I assume it > > is or it wouldn't be the default. It just seems odd to me to have to > > become root in order to write either a html or cgi page. > > You can setup the ownership of the webpages just like you like it. > Read a book about unix permissions and ownership management and > setup a nice scheme. It really depends mostly on your particular > setup and needs. That is also one of the reasons debian sets no > standards here, other than that the local admin sets the standard. > > Possible setups: > > root.root owned files, some user edits copies of the files in a local > directory. When ready, the files are copied to the webroot by root. > > *.webwackers owned and group writable files, with all users who are > supposed to be able to edit webcontent a member of that group. Put the > sgid bit on the directories, if you like. This scheme can also be > combined with the edit-a-copy scheme in the above. > > www-data.www-data owned files are evil, because then the webserver process > can modify files. This is unwanted if the webserver process is somehow > compromised and precisely the reason for the separate www-data userid, > it is a dedicated "nobody" user. As all cgi scripts by default will > also run as www-data, their output files are owned by www-data also, > which is ugly for the above reasons, but hard to prevent. > > Because you can make virtual servers and scripts run under alternate > userids of your own choice, your options are limited to your imagination. > > Cheers, > > Joost > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
