On Fri, 2009-08-21 at 09:37 +0100, Tom Evans wrote:
> If it was owned by user apache, then if the webserver were exploitable,
> the attacker would be able to deface your website. If it is just
> readable by apache, then they would need to exploit apache and then find
> a local privilege escalation to do so.
Thank you for pointing out what should have been obvious.
>
When I try to execute scripts from my cgi-bin directory, I am blocked by
a permission problem. In FireFox, I am using
http://localhost/cgi-bin/env.pl as the address line.
My cgi-bin directory (/var/www/cgi-bin) is owned by root with these
permissions drwxr-xr-x. This is from my httpd.conf
ScriptAlias /cgi-bin/ /var/www/cgi-bin/
#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
AllowOverride None
Options Indexes FollowSymLinks ExecCGI Includes
Order deny,allow
Allow from all
</Directory>
However, when I try to execute any script from that directory, I get
this error.
[Wed Aug 26 21:21:05 2009] [error] [client 127.0.0.1] (13)Permission
denied: access to /cgi-bin/env.pl denied
BTW: my serverroot is defined as:
ServerRoot "/etc/httpd"
My document root is defined as:
DocumentRoot "/var/www/html"
The Perl files in the cgi-bin directory are owned by root with these
permissions: rwxr-xr-x. I also tried to create a cgi-bin directory under
my home directory (making all of the changes needed in httpd.conf), I
set the permissions correctly (I think)
> They don't have to be owned by root, they just need to be readable by
> apache and correctly configured. Your doc root, and all the files under
> there, can be owned by your local user. You only need root privileges to
> start/stop apache.
What about cgi-bin? It is parallel to doc-root.
All help is greatly appreciated!
Chuck
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|