[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date ][Minivend by thread ]

Re: [mv] turn off cc security - ? on enc. file storage

To: minivend-users@minivend.com
Subject: Re: [mv] turn off cc security - ? on enc. file storage
From: Mark Holt <madmardy@madmardy.com>
Date: Wed, 10 Nov 1999 13:45:42 -0700
References: <Pine.SCO.3.96.991110130303.7565A-100000@xcalibur.iinc.com>

To offer limited access, and if you are afraid of cgi scripts "walking" your directory space,
you must compile suexec into apache.  Then make sure no one can suexec their script without your
permission.  Then you make the permissions for the file 400 and suid the script with suexec.
Then you password protect the script to limit who can run it.

FYI - scripts are not limited to web space for files they can view.

Loy Ellen Gross wrote:

> OK, let me clarify. If you were going to save order information in an
> encrypted file on your server, --and-- you wanted to allow a catalog owner
> to pick up the data via SSL and an external (or mv) cgi script, where
> would you put it so that it won't be immediately viewable from other,
> random cgi scripts running on the same server.
>
> I know that sounds like an impossibility - but there are places Apache
> can reach that are outside the web space. Think it's a good idea to put
> encrypted files there? What I'm mostly thinking about is the type of
> simple cgi script that lets a user "walk" around the web space and look
> at the contents of any file readable by nouser. If we started saving
> tracking info this way, we'd want to put it where it couldn't be easily
> found by walking.
>
>   -- Loy
>

References:
- Re: [mv] turn off cc security - ? on enc. file storage
  - From: Loy Ellen Gross <design@iinc.com>

Prev by Date: Re: [mv] turn off cc security
Next by Date: SSL with different virt domain name
Prev by thread: Re: [mv] turn off cc security - ? on enc. file storage
Next by thread: Re: [mv] turn off cc security
Index(es):
- Date
- Thread