Running gallery?

troy fryman at sonic.net
Tue Feb 11 18:02:01 PST 2003


On Tue, Feb 11, 2003 at 04:25:52PM -0800, error wrote:
> 
> > Maybe I read this wrong, but this doesn't seem to have much to do with
> > gallery.  You're going to run into this wherever you have multiple users
> > whose cgi's run as the webserver UID, and webserver UID writable files
> > and dirs.  CGIwrap would help in this case.
> 
> Yes this is true but there are some interesting points.
> For one inside your album dir you have .htacces that is configured as
> owned by the webserver. Owned, not just r-x or r-- but rwx.

Really?  Mine is 644 and owned by my UID.

The configure.sh script to set up gallery contains this:
if [ ! -f config.php ]; then
    touch config.php
fi
if [ ! -f .htaccess ]; then
    touch .htaccess
fi
chmod 666 config.php .htaccess

So .htaccess is setup owned by whomever runs configure.sh.

The secure.sh script for gallery contains this snippet:
if [ -f .htaccess ]; then
    chmod 644 .htaccess
fi

Users are instructed to run secure.sh after setup is complete.

> I think that's just as bad as making a file owned by you 777 and who in
> their right mind does that?

People hoping someone will upload some cool war3z :)

 
> > The safe_mode thing *is* annoying though.  And gallery doesn't seem to work on
> > php 4.3 (because of a register_globals side effect that has been fixed in
> > php 4.3)  So there's definitely some code cleanup to be done.  I *think*
> > that gallery is reasonably safe if you're running it on a server without
> > untrusted users w/cgi access.  Meaning, I don't see any XSS issues with
> > form input, or other client side trickery.
> 
> Gallery does work for me on 4.3 and it has some errors.
> FreeBSD build however.

Causes php to segfault here, though not on all albums.

[ lots of other points, that I mostly agree with, though I still don't
think gallery is as bad as you say. ]

That's why I don't leave anything important on Sonic webservers even
though they've got fat pipes and redundancy.  Can you believe I still
have a matt's script guestbook circa 1996.  Oh the shame!


> And what great timing! Here comes a php discussion tonight!

Damn, I miss NBLUG <sniff>

-troy




More information about the talk mailing list