scripts access

got some hosting web space on a server, my question is I am part of a user group and my concern is that of security where by other users in the group can go into my cgi directory and look at my scripts and files and get user passwords etc.How do you prevent access(copying) to these scripts or directory browsing from the other group members but still make scripts execute from a browser.

Im new to unix, is it the htaccess file thats needed or this wrapping thing which I think my isp doesnt support. Is there any good tutorials on these subjects.

kind regards

First of all, all scripts/code should be written to use encrypted passwords when possible. However, this is often not practical due to time and other resource constraints. I assume you have these constraints and need a solution.

First of all, make sure that your web server executes as a distinct user and group. For example, the web server should run as 'web' and the group 'webgroup' with no others in that group.

You then change the ownership of the files/scripts to that of the web user (certainly not root, UID 0). You then set the permissions of the scripts to not be readable by other users, etc. and you do not give access to the directories by other users of the system.

It is best not to have users on the machine and to have shell accounts for casual users on another machine.

If this is not possible for some reason, then you should set the users up with a different root file system using the 'chroot' (change root) utilitity so the users will not have access to the filesystem, etc.

The best thing to do is to run the web server in production mode and not to have users on the platform (except trusted users). If users are needed to support the web application then do that in a development box without the scripts (or with bogus scripts/passwords to test) and then move the work to the production environment.

In the final analysis, the choice is based on operational risk-management. If you are doing credit card, personnel files, financial tranactions, etc. then the risk is great. If you are just running a small, not critical site, the risk is lower. The compensating controls are based on the degree of risk you are willing to take. No system can be made 100 percent 'unbreakable' and there will always be a way for a malicious user with good computer skills (and access to the platform) to read a shell script with unencrypted passwords.

In other words, there cannot be a good answer without knowing the nature of the application(s) on the server and the risk profile of the system(s).

While these are all valid points, it sounds like the original poster was talking about an account he has at an ISP, so it is unlikely that he will be able to control the UID of the web-server or the allocation of user accounts.

Unless your ISP is using wrappers on the CGI programs, it is likely that you will have to allow group read to your scripts for them to execute. You should never hard-code passwords in plain text into your scripts, instead use encrypted passwords (relatively easy to implement in many languages -- there are usually libraries available to help you) or look into using the htaccess files.

Good luck...

thanks for the replys. I have being told by one of the subscibers to our isp that we do support suexec but I am none the wiser to implementing this with php.
I have been to a few sites and read up on this command but still very vague on how to use because of the lack of examples.

once again thankyou

[Edited by Neo on 01-19-2001 at 11:58 PM]