Posted by jw88574@hooya.com on 12/18/07 16:33

Using Apache on an old PIII with Knoppix

I am playing with a captcha image builder on my personal site and it works
pretty good. It builds an image on the fly in var/www/pictures and hands
the actual code to a cgi script.

But, the image it makes can be seen by anybody just by surfing to
http://somehost/pictures. So putting a security feature in the document
root is probably not a good idea. Changing the path to build the image to
/usr/lib/cgi-bin/pictures solves the visiblity problem but the HTML code
that the cgi-script makes does not have the authority to see the new
location.

So it comes down to my not understanding the security of web scripts well
enough.

As I understand it, on this Apache the user comes in as user www-data.
The ownership and group to ./cgi-bin/pictures is www-data. I think this
is true because if the cgi-scripts aren't owned by www-data, they can't
won't run. But some of the documentation says that an Apache user always
comes in as unknown and I haven't resolved this issue yet, like why would
user unknown be allowed to run a script, rather than be escorted to
/dev/null.

After thinking about it, it would seem that by giving a world visible HTML
script the rights to see an image, whereever it is, it would be impossible
to keep that surfer from seeing the image in the raw, so to speak. To put
it another way, is there a method to allow an HTML script in the document
root to see and image (or file or whatever) and still prevent access to
that resource?

Tnx
James White

[Back to original message]