You are viewing a plain text version of this content. The canonical link for it is here.
Posted to embperl@perl.apache.org by Jon Brisbin <br...@ipa.net> on 2000/08/01 17:27:57 UTC
Re: persistent problem: FIXED...well sorta
> > OR if you just want to use a temp storage area then:
> >
> > BEGIN {
> > $ENV{EMBPERL_SESSION_CLASSES} = "FileStore SysVSemaphoreLocker";
> > $ENV{EMBPERL_SESSION_ARGS} = "Directory=/tmp/sessions";
> > }
I got this to work :-) Which makes me happy...but one other question before
I try it (not really Embperl related, but thought y'all would know :-):
Can I put a <Files> directive in my httpd.conf to disallow viewing of that
directory without affecting the script's execution?? It shouldn't be a
problem, right??
thanks!
jb
Re: persistent problem: FIXED...well sorta
Posted by "Erich L. Markert" <em...@pace.edu>.
I've seen this done. I think (could be wrong) that Minivend, or was it
Perlshop, does something like this.
I, personnally, always get nervous (call me paranoid) when data is
residing off a directory that is accessible by httpd daemon - one admin
configuration mistake and viola! instant access to sensitive material.
Jon Brisbin wrote:
>
> > Why not pass back the session key and forget the ../tmp portion of the
> > URL?
>
> I was just thinking out loud...
>
> ...saying that if you happened to know a valid session id (very unlikely,
> since it uses cookies), it's still not possible to view the contents of the
> session file in a browser because the server would try to execute that file
> and give a 500 error...so storing session data in ~/httpd/cgi-bin/tmp is
> pretty safe it would seem to me...just thinking out loud :-)
>
> jb
--
__________________________________________________________
Mr. Erich L. Markert emarkert@pace.edu
Computer Learning Center TEL (914)422-4328
Pace University
1 Martine Ave
White Plains, New York 10606-1932
Those who do not understand Unix are condemned to reinvent it, poorly.
-- Henry Spencer
Re: persistent problem: FIXED...well sorta
Posted by Jon Brisbin <br...@ipa.net>.
> Why not pass back the session key and forget the ../tmp portion of the
> URL?
I was just thinking out loud...
...saying that if you happened to know a valid session id (very unlikely,
since it uses cookies), it's still not possible to view the contents of the
session file in a browser because the server would try to execute that file
and give a 500 error...so storing session data in ~/httpd/cgi-bin/tmp is
pretty safe it would seem to me...just thinking out loud :-)
jb
Re: persistent problem: FIXED...well sorta
Posted by "Erich L. Markert" <em...@pace.edu>.
Why not pass back the session key and forget the ../tmp portion of the
URL?
You can then strip off the session id key and your programs would use
this internally?
Jon Brisbin wrote:
>
> Follow-up to this...I forgot that my webserver already disallows viewing of
> Indexes in cgi-bin, so that's good, and if you try to pull it up through
> "/cgi-bin/tmp/23k4j2l3k4j23" it would give you a 500, so that's pretty
> secure, right??
>
> jb
>
> ----- Original Message -----
> From: Jon Brisbin <br...@ipa.net>
> To: Erich L. Markert <em...@pace.edu>; ___cliff rayman___
> <cl...@genwax.com>
> Cc: <em...@perl.apache.org>
> Sent: Tuesday, August 01, 2000 10:27 AM
> Subject: Re: persistent problem: FIXED...well sorta
>
> > > > OR if you just want to use a temp storage area then:
> > > >
> > > > BEGIN {
> > > > $ENV{EMBPERL_SESSION_CLASSES} = "FileStore SysVSemaphoreLocker";
> > > > $ENV{EMBPERL_SESSION_ARGS} = "Directory=/tmp/sessions";
> > > > }
> >
> > I got this to work :-) Which makes me happy...but one other question
> before
> > I try it (not really Embperl related, but thought y'all would know :-):
> >
> > Can I put a <Files> directive in my httpd.conf to disallow viewing of that
> > directory without affecting the script's execution?? It shouldn't be a
> > problem, right??
> >
> > thanks!
> >
> > jb
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
> > For additional commands, e-mail: embperl-help@perl.apache.org
> >
--
__________________________________________________________
Mr. Erich L. Markert emarkert@pace.edu
Computer Learning Center TEL (914)422-4328
Pace University
1 Martine Ave
White Plains, New York 10606-1932
Those who do not understand Unix are condemned to reinvent it, poorly.
-- Henry Spencer
Re: persistent problem: FIXED...well sorta
Posted by Jon Brisbin <br...@ipa.net>.
Follow-up to this...I forgot that my webserver already disallows viewing of
Indexes in cgi-bin, so that's good, and if you try to pull it up through
"/cgi-bin/tmp/23k4j2l3k4j23" it would give you a 500, so that's pretty
secure, right??
jb
----- Original Message -----
From: Jon Brisbin <br...@ipa.net>
To: Erich L. Markert <em...@pace.edu>; ___cliff rayman___
<cl...@genwax.com>
Cc: <em...@perl.apache.org>
Sent: Tuesday, August 01, 2000 10:27 AM
Subject: Re: persistent problem: FIXED...well sorta
> > > OR if you just want to use a temp storage area then:
> > >
> > > BEGIN {
> > > $ENV{EMBPERL_SESSION_CLASSES} = "FileStore SysVSemaphoreLocker";
> > > $ENV{EMBPERL_SESSION_ARGS} = "Directory=/tmp/sessions";
> > > }
>
> I got this to work :-) Which makes me happy...but one other question
before
> I try it (not really Embperl related, but thought y'all would know :-):
>
> Can I put a <Files> directive in my httpd.conf to disallow viewing of that
> directory without affecting the script's execution?? It shouldn't be a
> problem, right??
>
> thanks!
>
> jb
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
> For additional commands, e-mail: embperl-help@perl.apache.org
>
Re: persistent problem: FIXED...well sorta
Posted by Jon Brisbin <br...@ipa.net>.
> Can't you use ~/sessions, i.e. create or directory directly undern your
home
> directory, or have you only access to the part of your home dierectory
that
> is access able via http? (maybe ~httpd/sessions works also?)
yeah...i guess i could do that too...that would keep it completely away from
the web server :-) i just used tmp/ under cgi-bin because it was there from
CGI::Persistent and sundry experiments...
jb
Re: persistent problem: FIXED...well sorta
Posted by Gerald Richter <ri...@ecos.de>.
>
> i don't...I use ~/httpd/cgi-bin/tmp :-) i'm a virtual server on a shared
> machine with no root access, so i have to do it this way...the server runs
> under my uid, too, so others can't see it that way either...
>
Can't you use ~/sessions, i.e. create or directory directly undern your home
directory, or have you only access to the part of your home dierectory that
is access able via http? (maybe ~httpd/sessions works also?)
Gerald
Re: persistent problem: FIXED...well sorta
Posted by "Erich L. Markert" <em...@pace.edu>.
What's the permissions on this directory?
Jon Brisbin wrote:
>
> i don't...I use ~/httpd/cgi-bin/tmp :-) i'm a virtual server on a shared
> machine with no root access, so i have to do it this way...the server runs
> under my uid, too, so others can't see it that way either...
>
> jb
>
> ----- Original Message -----
> From: Erich L. Markert <em...@pace.edu>
> To: Jon Brisbin <br...@ipa.net>
> Cc: ___cliff rayman___ <cl...@genwax.com>; <em...@perl.apache.org>
> Sent: Tuesday, August 01, 2000 11:38 AM
> Subject: Re: persistent problem: FIXED...well sorta
>
> > /tmp isn't viewable via the web by default. You would have to actually
> > add a directive to httpd.conf to do so.
> >
> > I would strongly suggest placing this sessions directory somewhere else
> > than /tmp. Even if you change the ownership and permissions on the
> > /tmp/sessions directory /tmp has very lax permissions because everyone
> > is suppose to be able read/write to this temp storage... That said, bad
> > things can happen. As a rule, NEVER, EVER trust data that has been
> > stored in /tmp!
> >
> > Jon Brisbin wrote:
> > >
> > > > > OR if you just want to use a temp storage area then:
> > > > >
> > > > > BEGIN {
> > > > > $ENV{EMBPERL_SESSION_CLASSES} = "FileStore SysVSemaphoreLocker";
> > > > > $ENV{EMBPERL_SESSION_ARGS} = "Directory=/tmp/sessions";
> > > > > }
> > >
> > > I got this to work :-) Which makes me happy...but one other question
> before
> > > I try it (not really Embperl related, but thought y'all would know :-):
> > >
> > > Can I put a <Files> directive in my httpd.conf to disallow viewing of
> that
> > > directory without affecting the script's execution?? It shouldn't be a
> > > problem, right??
> > >
> > > thanks!
> > >
> > > jb
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
> > > For additional commands, e-mail: embperl-help@perl.apache.org
> >
> > --
> > __________________________________________________________
> > Mr. Erich L. Markert emarkert@pace.edu
> > Computer Learning Center TEL (914)422-4328
> > Pace University
> > 1 Martine Ave
> > White Plains, New York 10606-1932
> >
> > Those who do not understand Unix are condemned to reinvent it, poorly.
> > -- Henry Spencer
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
> For additional commands, e-mail: embperl-help@perl.apache.org
--
__________________________________________________________
Mr. Erich L. Markert emarkert@pace.edu
Computer Learning Center TEL (914)422-4328
Pace University
1 Martine Ave
White Plains, New York 10606-1932
Those who do not understand Unix are condemned to reinvent it, poorly.
-- Henry Spencer
Re: persistent problem: FIXED...well sorta
Posted by Jon Brisbin <br...@ipa.net>.
i don't...I use ~/httpd/cgi-bin/tmp :-) i'm a virtual server on a shared
machine with no root access, so i have to do it this way...the server runs
under my uid, too, so others can't see it that way either...
jb
----- Original Message -----
From: Erich L. Markert <em...@pace.edu>
To: Jon Brisbin <br...@ipa.net>
Cc: ___cliff rayman___ <cl...@genwax.com>; <em...@perl.apache.org>
Sent: Tuesday, August 01, 2000 11:38 AM
Subject: Re: persistent problem: FIXED...well sorta
> /tmp isn't viewable via the web by default. You would have to actually
> add a directive to httpd.conf to do so.
>
> I would strongly suggest placing this sessions directory somewhere else
> than /tmp. Even if you change the ownership and permissions on the
> /tmp/sessions directory /tmp has very lax permissions because everyone
> is suppose to be able read/write to this temp storage... That said, bad
> things can happen. As a rule, NEVER, EVER trust data that has been
> stored in /tmp!
>
> Jon Brisbin wrote:
> >
> > > > OR if you just want to use a temp storage area then:
> > > >
> > > > BEGIN {
> > > > $ENV{EMBPERL_SESSION_CLASSES} = "FileStore SysVSemaphoreLocker";
> > > > $ENV{EMBPERL_SESSION_ARGS} = "Directory=/tmp/sessions";
> > > > }
> >
> > I got this to work :-) Which makes me happy...but one other question
before
> > I try it (not really Embperl related, but thought y'all would know :-):
> >
> > Can I put a <Files> directive in my httpd.conf to disallow viewing of
that
> > directory without affecting the script's execution?? It shouldn't be a
> > problem, right??
> >
> > thanks!
> >
> > jb
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
> > For additional commands, e-mail: embperl-help@perl.apache.org
>
> --
> __________________________________________________________
> Mr. Erich L. Markert emarkert@pace.edu
> Computer Learning Center TEL (914)422-4328
> Pace University
> 1 Martine Ave
> White Plains, New York 10606-1932
>
> Those who do not understand Unix are condemned to reinvent it, poorly.
> -- Henry Spencer
>
Re: persistent problem: FIXED...well sorta
Posted by "Erich L. Markert" <em...@pace.edu>.
/tmp isn't viewable via the web by default. You would have to actually
add a directive to httpd.conf to do so.
I would strongly suggest placing this sessions directory somewhere else
than /tmp. Even if you change the ownership and permissions on the
/tmp/sessions directory /tmp has very lax permissions because everyone
is suppose to be able read/write to this temp storage... That said, bad
things can happen. As a rule, NEVER, EVER trust data that has been
stored in /tmp!
Jon Brisbin wrote:
>
> > > OR if you just want to use a temp storage area then:
> > >
> > > BEGIN {
> > > $ENV{EMBPERL_SESSION_CLASSES} = "FileStore SysVSemaphoreLocker";
> > > $ENV{EMBPERL_SESSION_ARGS} = "Directory=/tmp/sessions";
> > > }
>
> I got this to work :-) Which makes me happy...but one other question before
> I try it (not really Embperl related, but thought y'all would know :-):
>
> Can I put a <Files> directive in my httpd.conf to disallow viewing of that
> directory without affecting the script's execution?? It shouldn't be a
> problem, right??
>
> thanks!
>
> jb
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
> For additional commands, e-mail: embperl-help@perl.apache.org
--
__________________________________________________________
Mr. Erich L. Markert emarkert@pace.edu
Computer Learning Center TEL (914)422-4328
Pace University
1 Martine Ave
White Plains, New York 10606-1932
Those who do not understand Unix are condemned to reinvent it, poorly.
-- Henry Spencer