CGI file ownership

[Andrew]

Hi all and thanks for any help given!,
I am currently building a web page with cgi's that create text files
to store data. When it does this it is saving the file with ownership
of apache, and i want to change the ownership of the file to a lesser
owner (the one where the webpage is stored). I have tried some comands
and variations of the commands with no sucess!. is there anyone that
knows how to change the ownership (hardlink) to a lesser owner?, if so
could you please provide the line of code and how it works =)
Thanks Heaps
Andrew

 

[Bob Walton]

Andrew wrote:

....

I am currently building a web page with cgi's that create text files
to store data. When it does this it is saving the file with ownership
of apache, and i want to change the ownership of the file to a lesser
owner (the one where the webpage is stored). I have tried some comands
and variations of the commands with no sucess!. is there anyone that
knows how to change the ownership (hardlink) to a lesser owner?, if so
could you please provide the line of code and how it works =) ....


Andrew

You don't say what your OS is, but I assume is it some flavor of Unix.
Generally, file ownership is changed with the chown command. But it
probably is restricted to only be run by root. Do:

perldoc -f chown

and

man chown

for your OS to see the details for your system -- the details vary quite
a bit.

 

[David Efflandt]

Hi all and thanks for any help given!,
I am currently building a web page with cgi's that create text files
to store data. When it does this it is saving the file with ownership
of apache, and i want to change the ownership of the file to a lesser
owner (the one where the webpage is stored). I have tried some comands
and variations of the commands with no sucess!. is there anyone that
knows how to change the ownership (hardlink) to a lesser owner?, if so
could you please provide the line of code and how it works =)
Thanks Heaps
Andrew

It may be better to run the CGI under suexec (or cgiwrap) as the user you
want to save it as, then the CGI could be run with 700 permission and
access files with 600 permission. Or in the absense of suexec or cgiwrap,
you could run the script suid as the desired user (usually requires suid
binary wrapper, since suid for scripts is typically ignored).

If for security reasons chown does not allow you to change owner, or group
[assuming that apache and only desired user(s) are members of that group],
the only other option is to leave it wide open with insecure chmod 0666
(or perhaps less depending upon group or others). If you then as the
desired user, change owner/group, the CGI may no longer be able to modify
or delete the files, depending upon permissions at that time.

So unless this is your own private server, it would be better to have your
CGI somehow run as the desired user, than to leave the files vulnerable
until you have a chance to modify ownership and permissions.

BTW never give any file 777 permission, since that would allow any user to
modify and execute it.

 

[Robin]

Hi all and thanks for any help given!,
I am currently building a web page with cgi's that create text files
to store data. When it does this it is saving the file with ownership
of apache, and i want to change the ownership of the file to a lesser
owner (the one where the webpage is stored). I have tried some comands
and variations of the commands with no sucess!. is there anyone that
knows how to change the ownership (hardlink) to a lesser owner?, if so
could you please provide the line of code and how it works =)
Thanks Heaps
Andrew

perl has a built in command for this, see the documentation, perldoc -f
chown, also, you could always use system or exec, but it is unadvisable.
-Robin

 

[Andrew]

Thanks All that have replied so quick,
I should have put more OS system info (linux-RedHat 9), and i forgot
to mention that i want the cgi to do it after it create the file. I
think That David answered my question enough that i can do some
research and hopefully solve my problem.
Thanks All
Andrew

 

[Joe Smith]

perl has a built in command for this,

That's true, but chown() is not usable unless the web server is
running as root, which is not likely. (And would be an unacceptable
security risk if it was.)
-Joe

 

[Sherm Pendley]

perl has a built in command for this, see the documentation, perldoc -f
chown, also, you could always use system or exec, but it is unadvisable.

Robin, you might think that you're being "trendy" or "cool" by shouting
"RTFM", but in truth you're making a fool of yourself. It doesn't matter
in this case whether the external chown command or internal chown()
function is used - both require root access, which is the advice given
above by people far better qualified to give it.

sherm--

 

[Robin]

Au contraire -- some operating systems allow you to "give away" a
file you own. True, not any that I know of are in common use ; but
it is possible.

And, presumably, using the system documentation would be the
authoritative reference for that.

yeah. and we don't know his os.
-robin

 

[Sherm Pendley]

And, presumably, using the system documentation would be the
authoritative reference for that.

Two points:

Robin specifically referred to 'perldoc -f chown' - i.e. the standard
perl docs for the built-in chown() function. There is no mention in that
of these caveats.

Second, Robin has a history here. This is not the first time he's tried
to be "kewl" by posting an RTFM response that turned out to be utterly
clueless. He saw this was a question about changing ownership, and tried
to imitate what he imagines is how a "guru" would answer the question.

sherm--

 

[Jürgen Exner]

Two points:

Robin specifically referred to 'perldoc -f chown' - i.e. the standard
perl docs for the built-in chown() function. There is no mention in
that of these caveats.

Really? The version I have includes

On most systems, you are not allowed to change the ownership of
the file unless you're the superuser, [...]

jue

 

[Walter Roberson]

:Au contraire -- some operating systems allow you to "give away" a
:file you own. True, not any that I know of are in common use ; but
:it is possible.

IRIX. But I guess that doesn't really qualify as being in "common use"
anymore.


http://techpubs.sgi.com/library/tpl...an&fname=/usr/share/catman/u_man/cat1/chgrp.z

Only the owner of a file (or the superuser) may change the owner or group
of that file.

However, if the variable restricted_chown is enabled (see intro(2) and
systune(1M)) then only the superuser can change the owner of the file,
because if users were able to give files away, they could defeat the file
space accounting procedures.


On the other hand, Solaris probably still qualifies as being in
common use:

http://docs.sun.com/db/doc/816-0210/6m6nb7m5t?a=view

Only the owner of a file (or the super-user) may change the owner
of that file.

The operating system has a configuration option
{_POSIX_CHOWN_RESTRICTED}, to restrict ownership changes. When this
option is in effect the owner of the file is prevented from
changing the owner ID of the file. Only the super-user can
arbitrarily change owner IDs whether or not this option is in
effect. [...]

{_POSIX_CHOWN_RESTRICTED} is enabled by default.


So Solaris allows admins to enable the behaviour.

 

[Sherm Pendley]

Mike Heins wrote:



Two points:

Robin specifically referred to 'perldoc -f chown' - i.e. the standard
perl docs for the built-in chown() function. There is no mention in
that of these caveats.

Really? The version I have includes

On most systems, you are not allowed to change the ownership of
the file unless you're the superuser, [...]

Exactly. As you've kindly shown here, the Perl docs do mention the fact
that not *all* systems require root permissions. But they are absolutely
*not* an "authoritative reference" that will tell you the specific
behavior of the system you're on.

sherm--

 

[Sherm Pendley]

I don't make too many of them, but I am willing to believe that
repeated RTFM responses will actually get a few people to do it.

RTFM, if a pointer to which FM should be R'd is included, can be a good
response. After all, if a good explanation has already been written,
going to the trouble of writing another seems a waste.

My issue with Robin's response isn't the "RTFM-ness" of it. It's that
Robin issues such responses because he thinks snide, RTFM responses will
make him look "kewl" and help him "fit in". He tries to pretend to a
much higher clue level than he actually has.

Like I said earlier, he has a history here - have a look at the archives
at Google, and you'll see what I mean. His posting history shows that
any resemblance between useful information and one of his posts is
purely coincidental.

sherm--

 

[Rich Grise]

Hi all and thanks for any help given!,
I am currently building a web page with cgi's that create text files
to store data. When it does this it is saving the file with ownership
of apache, and i want to change the ownership of the file to a lesser
owner (the one where the webpage is stored). I have tried some comands
and variations of the commands with no sucess!. is there anyone that
knows how to change the ownership (hardlink) to a lesser owner?, if so
could you please provide the line of code and how it works =)
Thanks Heaps
Andrew

This is not a perl question.

Every time I've ever run a CGI, it's run as nobody, and the file ownership
is nobody. I don't know how it's done, because it's just been that way
on every system I've done CGI on, but I'm guessing it has something to
do with either Apache's config or its invocation.

In other words, it happens completely outside the scope of your script.

try man httpd .

Good Luck!
Rich