[thelist] Site Root & Document Root

<color><param>7F00,0000,0000</param><smaller>> Keith 

> 

> One quick thought/question ...

> 

> <<SNIP>

> > ...siteAdmin and the site's CGI, no one not even the serverAdmin. If

> > you use 0666 to store files outside the domain path on a RaQ those

> > files can be accessed by the serverAdmin, not a good thing if the

> > serverAdmin is different from the siteAdmin.

> <</SNIP>

> 

> can cgiWrap not read a files outside domain path with 0600 ?

> 


</color>That depends, Marcus. Unix permissions are not global, 
0600 set by user xyz is a different set of permissions than 
0600 set by user abc. 


Permissions are set for 0-owner-group-other. Suppose user 
xyz can create, and therefore own, a file in the /root/ 
directory (the user named "root" would of course have to 
give /root/ permissions for that). A CGI owned by user xyz 
would then be able to r/w that file in /root/ because xyz owns 
both files. This logic extends throughout the entire server. A 
CGI owned by xyz can r/w any file anywhere on the server if 
the file is owned by xyz and has 0600 permissions.


So the answere is, yes, IF the file outside of the domain 
path is owned by the same user that owns the CGI that is 
attempting to r/w that file. But the answere is no, IF the file is 
owned by a user other than the owner of the CGI that is 
attempting to r/w that file. 


Caveat: xyz cannot r/w a file created by abc if the file has 
0600 permissions, or even 0666 permissions, even if that 
file is inside the domain (That's why you never allow two 
siteAdmins for one site, and never upload files to a site as 
the serverAdmin, even though both are technically possible 
on a RaQ)


This may seem weird if you are used to a regular Unix 
server. This all makes sense though if you understand why 
a RaQ has to use CGIWrap. 


On most Unix/Apache servers Perl runs as the user 
nobody, the same user that Apache runs as. Therefore a 
CGI activity is controlled by the "other" permission. On a 
RaQ Perl also runs the Cobalt GUI that runs the server. 
Therefore Perl needs to r/w config files that are owned by 
the user named "root". This would be a catastrophy waiting 
to happen if left that way since a script in any domain could 
r/w such files as httpd.conf. 


By forcing CGI through CGIWrap a CGI runs as the owner 
of the file and by Cobalt/Apache config that owner must be a 
siteAdmin. Therefore, CGI activity is controlled by the 
"owner" permissions instead of by the "other" permissions. 
Although I don't use ASP or PHP, I understand that their 
permission set on a RaQ is also through the "owner" 
instead of "other". 


keith



<nofill>
cache@dowebs.com
WebSitePad.com  
edit and manage your site from your browser