Re: [cobalt-users] protecting text files in my cg-bin directory from prying eyes

["H.P. Stroebel" <hpstr@xxxxxxxxxxxxx>]

Brian Baggett/Santa Teresa/IBM schrieb:
> 
> I have searched the archives and found lots of posts on directory browsing
> and how to disable it.  I have a more specific question.  I have added
> index.html files to all my directories to keep people from being able to
> get directory listings via there web browsers.  However, they can still
> view any non-executable files via their browser if they happen to know or
> guess the file name.  For example, I have several log and data files
> written to by my cgi-bin scripts that live in my cgi-bin directory.  

> What is the easiest way to fix this security hole?

this behaviour isn`t a security hole, it`s a feature.

your files in the /web directories can be read by all users, so your
webserver, which runs as the user "http" or something similar. your
files are owned by the site users, so are the cgi-scripts, and by
default on the cobalt they are run under the rights of the user they
belong to. so, make your files readable only by the user the cgi-scripts
belong to, using

chmod 600 filename
(-> read- and writeable only by the owner)

do this using telnet/ssh or your favorite ftp client.

for details, consult

a) a basic linux book or tutorial for file ownership and permissions
b) the chmod manpage
c) the faq below

btw, for security reasons it is NOT a good idea to keep private
information beneath the webservers document root (= the /web
directories); you should store them outside. 

-- 

H. P.  Stroebel, Germany

CGI-FAQ for Raq-Newbies :
http://users.iol.it/hpstr/

Apollo 13 : "Houston, we have a problem"
Windows 2000 : "Redmond, we have 64000 problems"