Is it possible?

Also what policy most folllow while giving CGI access?
a) Give all
b) To selected
c) Deny all


K Singh

Yes, this is possible. I assume that you don't want to use suexec.

There is a script on hostscripts that cpanel uses as well - it's a wrapper that sets the permissions of an executing script to the permissions of the folder the script is in.

It is never really advisable to have your web process running as root. If memory serves, you'll need to make some tweaks to the program to allow it to move up to root level access.

Whether suexec or not, but the script can still read others files and directories. What I want to know is that something like PHP's open_basedir can be done for CGI without chooting Apache.

Kirti

If using suexec, you can read other users files, you really need to set the proper permissions. That will prevent that from happening.

It is not a major security thing if both PHP and CGI are running in suexec mode. But normally PHP runs as nobody. So this put question marks on the PHP scripts which are required to be read by nobody user. Though one may not be able to read others' scripts using PHP (in open_basedir mode), but using PERL/CGI a person can access them. So it needs to be chrooted. Is it possible without chrooting Apache?

K Singh