[1204] in WWW Security List Archive
Re: source code security
daemon@ATHENA.MIT.EDU (Paul Phillips)
Sat Dec 2 15:11:10 1995
Date: Sat, 2 Dec 1995 09:31:07 -0800 (PST)
From: Paul Phillips <paulp@cerf.net>
To: www-security@ns2.rutgers.edu
cc: Peter Henning <wizard@electric.co.za>
In-Reply-To: <Pine.LNX.3.91.951202110401.21101B-100000@wildcat.electric.co.za>
Errors-To: owner-www-security@ns2.rutgers.edu
On Sat, 2 Dec 1995, Peter Henning wrote:
> one nice trick is to take away all "r" permissions on your cgi binaries.
> Most scripts just need world or group "x" permissions, and possibly owner
> "w" permissions so that you can recompile them from a safer directory
> elsewhere. That way, the scripts can run but even if they live somewhere
> inside your document root (not a wise idea)
Not true; "scripts" definitely cannot run without read permission. You
are conflating binaries with scripts, a common practice but an unsafe
one. A script cannot be run without read permission because it contains
code to be sent into an interpreter that has to be read at runtime. A C
binary on the other hand contains native machine code and can be
executed without read permissions.
Also on this topic, there have been server bugs/misfeatures in the past
that allowed people to retrieve CGI source code even if everything was
configured correctly. Caveat webmaster.
--
Paul Phillips | "Click _here_ if you do not
<URL:mailto:paulp@cerf.net> | have a graphical browser"
<URL:http://www.primus.com/staff/paulp/> | -- Canter and Siegel, on
<URL:pots://+1-619-558-3789/is/paul/there?> | their short-lived web site
