Directory for CGI data files

Your CGI programs may need special access to some files for their operation. These needs raise security issues. For instance, a CGI script that accesses a database may need to provide a password to the database server. It is better to have the script read this password from a secure file than to put the password into the CGI script where it can be read by any user on the system. Another special case is a CGI that needs to update a data file such as a hit counter. Since the CGI runs as nobody, the data file must be made world-writeable. This is a security risk since any other user on the system can modify the file.

Normally, the best solution to these problems is to run the web server on a dedicated machine that has no user accounts except for the administrator. Here, we are considering how to provide adequate security on a machine with many ordinary user accounts. The solution involves giving the nobody group a few privileges. Therefore the operations described below must be carried out by the super-user. To indicate this fact, the > in the prompt is replaced by #.

The directory where sensitive files are to be placed will be called cgi-files. Since the contents of the files are not to be served up directly by the web server, this directory should not be located in the URL-space. For convenience, we place it in the user's home directory, i.e. home/joeuser in this example.

  ~joeuser/# mkdir cgi-files
  ~joeuser/# chown joeuser:nobody cgi-files
  ~joeuser/# chmod u=rwx cgi-files
  ~joeuser/# chmod g=x cgi-files
  ~joeuser/# chmod o=  cgi-files
  ~joeuser/# ls -ld cgi-files
  drwx--x---    2 joeuser   nobody        1024 Sep  4 17:59 cgi-files

The permissions allow you, the owner of this directory, full privileges within this directory. The group nobody (which is the group to which CGI scripts belong when run by the web server) has access to the contents of the directory but no other permission. All other users have no access.

Now, if you need to create a world-writeable file or a file containing passwords, you should place it in this directory. (You can also use this directory for .htaccess password files. Although these are not CGI-related, the directory has the right permissions for this purpose.) As an example, suppose you have a hit-counter program which needs to store the number of hits in a file named hits.dat. You would perform the following operations before running the CGI program. (Note that the prompt is back to normal, indicating that you, not root, can perform these operations.)

  ~/> cd cgi-files
  ~/cgi-files/> echo "0" > hits.dat
  ~/cgi-files/> chmod o=rw hits.dat
  ~/cgi-files/> ls -l hits.dat
  -rw-r--rw-    1 joeuser   students         2 Sep  4 18:09 hits.dat

This operation initializes the file with the number zero in it, and gives the world permission to read and modify it. But since only the nobody group can access the file due to the directory permissions, read and write permission for the file is effectively limited to that group.