Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: scripts access
Special Forums Cybersecurity scripts access Post 738 by Neo on Saturday 13th of January 2001 11:39:04 PM
Old 01-14-2001
First of all, all scripts/code should be written to use encrypted passwords when possible. However, this is often not practical due to time and other resource constraints. I assume you have these constraints and need a solution.

First of all, make sure that your web server executes as a distinct user and group. For example, the web server should run as 'web' and the group 'webgroup' with no others in that group.

You then change the ownership of the files/scripts to that of the web user (certainly not root, UID 0). You then set the permissions of the scripts to not be readable by other users, etc. and you do not give access to the directories by other users of the system.

It is best not to have users on the machine and to have shell accounts for casual users on another machine.

If this is not possible for some reason, then you should set the users up with a different root file system using the 'chroot' (change root) utilitity so the users will not have access to the filesystem, etc.

The best thing to do is to run the web server in production mode and not to have users on the platform (except trusted users). If users are needed to support the web application then do that in a development box without the scripts (or with bogus scripts/passwords to test) and then move the work to the production environment.

In the final analysis, the choice is based on operational risk-management. If you are doing credit card, personnel files, financial tranactions, etc. then the risk is great. If you are just running a small, not critical site, the risk is lower. The compensating controls are based on the degree of risk you are willing to take. No system can be made 100 percent 'unbreakable' and there will always be a way for a malicious user with good computer skills (and access to the platform) to read a shell script with unencrypted passwords.

In other words, there cannot be a good answer without knowing the nature of the application(s) on the server and the risk profile of the system(s).
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Need help to access/mount so to access folder/files on a Remote System using Linux OS

Hi I need to access files from a specific folder of a Linux system from an another Linux System Remotely. I know how to, Export a folder on One SCO System & can access the same by using Import via., NFS in the Sco Unix SVR4 System using the scoadmin utility. Also, I know to use mount -t ... (2 Replies)
Discussion started by: S.Vishwanath
2 Replies

2. Shell Programming and Scripting

Access shell scripts from HTML page

Hi, I need (have been asked/order/instructed) to migrate the access of a number of ksh scripts into a html/web page environment. Currently access is with the user logging onto a unix box and accessing the scripts that way. The users are not unix people so I have restricted the access solely to... (4 Replies)
Discussion started by: nhatch
4 Replies

3. Shell Programming and Scripting

How to access variables across scripts

Hi All, I have declared a variable in script1 and assign a value for it. In script2 i'll call script1 and then I want the value of variables set in script1. I have tried with export, but in vain. How can I achive this? Below is the two scripts. --script1 #!/usr/bin/ksh echo $1... (1 Reply)
Discussion started by: javaDev
1 Replies

4. Shell Programming and Scripting

Changing the Bash Scripts to Bourne Scripts:URGENT

Hi, I have to write a program to compute the checksums of files ./script.sh I wrote the program using bash and it took me forever since I am a beginner but it works very well. I'm getting so close to the deadline and I realised today that actually I have to use normal Bourne shell... (3 Replies)
Discussion started by: pgarg1989
3 Replies

5. UNIX for Dummies Questions & Answers

kernel giving access for multiple users to access files

hi all, i want to know y kernel is giving access for multiple users to access a file when one user may be the owner is executing that file. Because other user can manipulate that file when the other user is executing that file, it will give the unexpected result to owner . plz help me... (1 Reply)
Discussion started by: jimmyuk
1 Replies

6. Shell Programming and Scripting

using unix scripts database access

i want to access database (sql script) within a unix script. help me (2 Replies)
Discussion started by: chamaraa
2 Replies

7. Shell Programming and Scripting

export and access env variable in two scripts

Hi, I have two scripts say one.sh and two.sh. I want one.sh to continuously export a variable in loop. and when two.sh starts then it should read the last value exported from one.sh. file: one.sh #! bin/sh for i in `seq 1 1 4000000`; do export VAR=$(($i**$i)) ; done file two.sh ... (2 Replies)
Discussion started by: bhushan123
2 Replies

8. Shell Programming and Scripting

KSH - How to call different scripts from master scripts based on a column in an Oracle table

Dear Members, I have a table REQUESTS in Oracle which has an attribute REQUEST_ACTION. The entries in REQUEST_ACTION are like, ME, MD, ND, NE etc. I would like to create a script which will will call other scripts based on the request action. Can we directly read from the REQUEST_ACTION... (2 Replies)
Discussion started by: Yoodit
2 Replies

9. Shell Programming and Scripting

Restrict access to .ksh scripts

Hi, How to restrict access to a .ksh script in such the way that the users can only execute the script, neither read nor write. I tried the below code so that my user alone has the rwx and other users can only execute. chmod 711 sample.ksh But when I logged in as a different user... (26 Replies)
Discussion started by: machomaddy
26 Replies

10. Solaris

samba read write access to owner and no access to other users

Hi All, I want to configure samba share permission so that only directory creator/owner has a read and write permission and other users should not have any read/write access to that folder.Will that be possible and how can this be achieved within samba configuration. Regards, Sahil (1 Reply)
Discussion started by: sahil_shine
1 Replies

LEARN ABOUT SUSE

djvuserve

DJVUSERVE(1)							   DjVuLibre-3.5						      DJVUSERVE(1)

NAME

       djvuserve - Generate indirect DjVu documents on the fly.

DESCRIPTION

       Program	djvuserve  is  a  CGI program that can be executed by a HTTP server for serving DjVu documents.  This program is able to convert a
       bundled multi-page document into an indirect document on the fly.

USING DJVUSERVE

       Program djvuserve must first be installed as a CGI program for your web server.	There are several ways to achieve this.   The  Apache  web
       server, for instance, often defines a specific directory for CGI programs using the ScriptAlias directive.  Assume that the file httpd.conf
       contains the following line:

	  ScriptAlias /cgi-bin/ "/var/www/cgi-bin"

       It is then sufficient to create a small executable shell script /var/www/cgi-bin/djvuserve containing the following lines:

	  #!/bin/sh
	  exec /full/path/to/djvuserve

       Suppose that a large bundled multi-page DjVu document is available at the following URL.

	  http://server/dir/doc.djvu

       The CGI program djvuserve lets you access this same document as an indirect multi-page DjVu document using the following URL.

	  http://server/cgi-bin/djvuserve/dir/doc.djvu/index.djvu

       Serving indirect multi-page DjVu documents provides for efficiently browsing large document without transferring unnecessary pages over the
       network.  See djvu(1) for more information.

       Furthermore  djvuserve searches certain keywords among the CGI arguments of the URL.  The keyword bundled forces serving a bundled document
       using

	  http://server/cgi-bin/djvuserve/dir/doc.djvu?bundled

       The keyword download inserts a content disposition HTTP header that suggests to display a save dialog instead of displaying the document.

	  http://server/cgi-bin/djvuserve/dir/doc.djvu?download

USING DJVUSERVE AS A HANDLER

       The Apache web server provides a way to automatically execute djvuserve for all DjVu documents.	This can be achieved using  the  following
       directives in either the Apache configuration file or the .htaccess files.

	  Action djvu-server /cgi-bin/djvuserve/
	  AddHandler djvu-server .djvu

       Apache  then  executes program djvuserve for serving all DjVu files.  Providing the URL of DjVu file serves this DjVu file as usual, except
       that bundled multipage documents are converted to indirect documents on the fly.  This convenience comes at the	expense  of  the  computa-
       tional cost of executing djvuserve whenever a DjVu file is requested.

TECHNICAL DETAILS

       Program	djvuserve provides a mean to directly access any component of a bundled multi-page DjVu document can be accessed using an extended
       URL.  Suppose that the component file representing page 1 is named p0001.djvu.  The following URL provides a direct access to this page:

	  http://server/cgi-bin/djvuserve/dir/doc.djvu/p0001.djvu

       It is preferred however to access individual pages using the CGI style arguments described in nsdejavu(1), as in the following URL.

	  http://server/cgi-bin/djvuserve/dir/doc.djvu?djvuopts&page=12

       The special component file name index.djvu is recognized as a request for the index of the corresponding indirect multi-page document.	In
       fact, when you access a bundled document using djvuserve, the browser gets redirected to the following URL:

	  http://server/cgi-bin/djvuserve/dir/doc.djvu/index.djvu

       and then behaves as if the bundled file was a directory containing the various component files of an equivalent indirect document.

ACCESS CONTROL

       Program	djvuserve,  like many CGI programs, bypasses a number of access protections established in a web server.  Assume for instance that
       your web site contains DjVu files protected by a password.  Program djvuserve knows nothing about this protection and  will  happily  serve
       any DjVu file associated with a valid URL.

       Access  control	with  djvuserve  can  be  implemented by first remembering that the web server always executes program djvuserve via shell
       script /var/www/cgi-bin/djvuserve.

       This script can decide to execute the real program djvuserve on the basis of the target filename  available  in	the  environment  variable
       PATH_TRANSLATED.

       There  can  be several such scripts providing access to various collections of DjVu files.  Each of these scripts can be password protected
       using the usual methods supported by your web server.

KNOWN BUGS

       Hyperlinks specified using a relative URL may not work with djvuserve.  These URLs are relative to  the	URL  of  the  DjVu  document.  Yet
       djvuserve     changes	 the	 apparent     document	   URL	   http://server/dir/doc.djvu	 into	 the	more	complicated    URL
       http://server/cgi-bin/djvuserve/dir/doc.djvu/index.djvu.  The extra components change the interpretation of relative URLs.

CREDITS

       This program was written by Leon Bottou <leonb@users.sourceforge.com>.

SEE ALSO

       djvu(1), djvmcvt(1), nsdejavu(1)

DjVuLibre-3.5							    01/22/2002							      DJVUSERVE(1)
All times are GMT -4. The time now is 02:50 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy