[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-developers] Re: CGI Wrap Errors
- Subject: Re: [cobalt-developers] Re: CGI Wrap Errors
- From: Chris Adams <cmadams@xxxxxxxxxx>
- Date: Tue May 23 18:30:50 2000
Once upon a time, corliss@xxxxxxxxxxxxxxx <corliss@xxxxxxxxxxxxxxx> said:
> On Tue, 23 May 2000, John Parris wrote:
> > I just tried that and it doesn't work. Each site has it's own group, and
> > each user for that site goes into the corresponding group. I get an error
> > even when I ftp in on that site.
> >
> > btw, it also appears that the directory permissions, by default, are set to
> > 2775. Which to me, seems worse... ?
>
> :-P That's why I like BSD boxes better. I never understood that crap about
> every user having an unique UID *&* GID. Buggers. But you're right, 2775
> isn't much better. No isolation at all.
The per-user group is a(n optional) Red Hat-ism, which Cobalt doesn't
use. The do create a group per site, which, along with the set-GID bit
on directories, is needed if you have multiple site administrators
(which a lot of our customers have).
> They've set the GID sticky bit on, eh? Well, why not try 2771? That should
> keep the browsers out, but still let the daemons traverse the tree. Still not
> as secure as I'd like, since another user could still pull a file out of the
> other user's space if they know the exact path and name.
Uh, these are primarily designed as web hosting boxes. If I know the
exact path and name, it is typically going to be viewable from the web
as well.
The Cobalt RaQs are web hosting appliances, after all. They are NOT
designed for a general purpose multi-user environment. If you want to
use them in that way, expect to have to make changes.
--
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Information Services
I don't speak for anybody but myself - that's enough trouble.