Hi,
We have a cobalt raq 4i and we have a permission denied problem with several scripts.
We had previously a virtual server and we worked with these scripts properly, we were uploading files either with ftp or with webfolder and we dealt with these files differently without having owner problems. However, now we are working with a dedicated server cobalt raq 4i and are facing this problem since the owner of files are different between the case of uploading with webfolder or with ftp.
Can anybody advise us how to bypass this problem?
We have only one administrator for the whole server and all the sites.
Is there anyway to create a super user who has all the abilities (front pages access, ftp access, and telnet) to manage the whole server and all the sites and has all the permissions? P.S: we know that this a big security hole.
Thanks for your help.

You can be getting these areas for a couple of reasons:
First is CGIwrap.
Second is under CGIwrap, you have the wrong permission and ownership settings ... see below for details.



CGIwrap
The Cobalt Raq 4i comes with CGIwrap. CGIwrap basically wraps cgi-requests and executes them using the username of the scripts owner. This can cause some problems when scripts do not have the right owner or group, especially if you migrate from one server to another. This is for security reasons as it limits the scripts access capabilities to those of the user. Without cgiwrap, a script would run as another user, e.g. the webserver, and be granted access to parts of the server that the user could not access. Thus, using cleverly written scripts, people could gain access to the server's files via cgi. You could consider removing cgiwrap, but only if you trust every cgi-script that gets put on your server. As a practice, we deal with the headaches that cgiwrap causes in exchange for added security.

CGIwrap Homepage
http://cgiwrap.unixtools.org/


Set proper Groups, Owners, and Permissions
As admin, I change all scripts to have the ownership of the site-admin for that site and set the group ownership to the appropriate group (site1, site2, etc).

If you want an administrator to be able to modify all of the files, then you will have to add their username to the groups in the /etc/groups file. Simply use a text editor (vi or pico) to add the persons username next to the group name. All names should be seperated by commas.

Also, you will have to make sure that the files are set with permission mask 775 as opposed to 755. 775 grants group read, write, execute status to groups, thus allowing anyone specified in the group the ability to modify the files.

System-wide Solution: sudo
There is a utility called "sudo" that allows you to give certain users limited root abilities. Depending upon how your site is set up and what your web site managers do, you may want to use this tool. Sudo users get limited access to the things that root could do. This is great for give someone (you trust) some of the root's accounts power without given out the root password. Sudo also tracks everything that a sudo user does, so that you have a constant log of root-like activities. This utility would allow your admin(s) to get around permission problems or change them as necessary.

Hi,
Thank you for your detailed reply and explanation.
In fact we made some tests on one of our cgi files. First we changed the directive in httpd.conf for one of the virtual sites as follows:
from
addhandler cgi-wrapper .cgi
addhandler cgi-wrapper .pl
to
addhandler cgi-script .cgi
addhandler cgi-script .pl
also we changes its owner from admin to nobody (the owner of all the files in the site) but it didn't work then we changed the the cgi file owner to root but had the same result and we could not edit any other files with other owner.
We prefer to deal with the dedicated server as we did with our previous virtual server in which we could anyfile from the file manager cgi script which we uploaded from the webfolder. Is it possible to deal like that?
Thanks for your help.

J. Joubarani