Posted by Bone Ur on 12/19/07 01:42

Well bust mah britches and call me cheeky, on Tue, 18 Dec 2007 16:33:55
GMT jw88574@hooya.com scribed:

> Using Apache on an old PIII with Knoppix
>
> I am playing with a captcha image builder on my personal site and it
> works pretty good. It builds an image on the fly in var/www/pictures
> and hands the actual code to a cgi script.
>
> But, the image it makes can be seen by anybody just by surfing to
> http://somehost/pictures. So putting a security feature in the
> document root is probably not a good idea. Changing the path to build
> the image to /usr/lib/cgi-bin/pictures solves the visiblity problem
> but the HTML code that the cgi-script makes does not have the
> authority to see the new location.
>
> So it comes down to my not understanding the security of web scripts
> well enough.
>
> As I understand it, on this Apache the user comes in as user www-data.
> The ownership and group to ./cgi-bin/pictures is www-data. I think
> this is true because if the cgi-scripts aren't owned by www-data, they
> can't won't run. But some of the documentation says that an Apache
> user always comes in as unknown and I haven't resolved this issue yet,
> like why would user unknown be allowed to run a script, rather than be
> escorted to /dev/null.
>
> After thinking about it, it would seem that by giving a world visible
> HTML script the rights to see an image, whereever it is, it would be
> impossible to keep that surfer from seeing the image in the raw, so to
> speak. To put it another way, is there a method to allow an HTML
> script in the document root to see and image (or file or whatever) and
> still prevent access to that resource?

Depends on exactly what you mean by "access".

Regarding this image for instance, how would someone see it now without
using your page?

--
Bone Ur
Cavemen have formidable pheromones.

[Back to original message]