[cobalt-users] Offtopic: CGI and their rights

["manitu" <manitu@xxxxxxxxxx>]

Hello all!

I know the following questions are not directly related to the cobalt
servers but perhaps my problems are due to the Cobalt software. Perhaps
someone can help me.

I am going to write an addition to the Cobalt GUI. First, I would like to do
some security tests so that my cgis don't break the linux security system
and don't offer hackers a way to get into my server.

I have written a SIMPLE c program (which I did compile with gcc) that does
nothing else than creating a simple .txt file within the account. I did
upload and compile the program under the site administrator's user data. The
program works fine and creates the file (I did call it via the web and NOT
via telnet).

BUT I noticed that the file is also marked with the same user data as that I
logged in with. Before I had my own server, I was customer on a RaQ2. Then I
did encounter that when almost the same simple cgi created that txt file,
the file was marked with the owner "anonymous".

I do not understand the linux security and access restriction system at this
point. Why does my script have the same rights as myself ? I DID _NOT_ SET
THE SETUID BIT AND DID NOT USE ANY OF THESE FUNCTIONS!

I did try to upload the script as a user who is not siteadmin. The txt file
was created under his user id.

I would be very happy if someone could help me with this an explain me how
the access restriction system and all these things work (short explainations
are fine, just that I know a bit more). Thanks in advance!

Manuel