This really doesn't have anything to do with Postgres, but you guys may
want to look into the cgi-wrapper addon that comes with Apache. I haven't
used it myself, but from what I understand it does a setuid to the user
whose home directory the CGI is in before executing it, thus having the
same file access permissions as that user. Then it doesn't matter if other
people can run CGI scripts or have shell access, as unless they have the
password for the account of the CGI, they can't read it (as long as you
aren't an idiot in setting the file permissions.) PHP3 has a similar
ability built in that can be turned on via the php3.ini file.
The problem with CGI security isn't so much a matter of people getting
shell access and playing around, it's more along the lines of writing a CGI
that executes a program such as find or cat as the web user, which would
enable them to list and display all the CGI's on the system, and their
config files.
At 12:02 PM 1/17/00, Stephane Bortzmeyer wrote:
>On Monday 17 January 2000, at 11 h 18, the keyboard of Jeff MacDonald
><jeff@hub.org> wrote:
>
> > > My CGIs sources a config file, in mode 700, only readable by 'www'
> (the user
> > > which executes Apache).
> >
> > this option works, but not well if the user isn't root.
>
>Can you elaborate? Of course, it works well and of course, the actual user
>is not root.
>
>
>
>
>************
