Permissions
If you don’t (or can’t) go the cgiwrap/suexec route, the alternative “dumb” recommendation in the Movable Type setup instructions is to set the permissions on your blog directory to 777.
I suppose this is necessary if you don’t have administrator access on your web server. The UID under which the web server runs needs to have write-access to your blog directory. So you either use cgiwrap or suexec to grant the CGI-scripts write-access to all your files, or you make your blog directory writable by anyone (including the web server).
But if you do have administrator access, then there is obviously a more secure alternative: change the ownership of the blog directory to match the UID of the web server (under MacOSX, this is “www”).
Since some significant fraction of their users do run their own web servers, it behooves the MT people to explain this, rather than offering the other two, distinctly inferior, solutions.
If this is what their Installation instructions are like, it makes me wonder about the attention to security in the software itself.
I have to admit, though, that they have put together a very extensive blog management package, and made it freeware. So I shouldn’t complain …
Posted by distler at October 13, 2002 6:19 PM