How does Hiawatha threat /tmp

15 September 2011, 20:44
Hello Hugo

I always like to keep my /tmp separated with noexec,nosuid options when I am able to.. but unfortunatly I can't do that in my current setup. So I tought.. "hey it's Hiawatha,maybe Hugo took care of this"
You know.. other web servers use /tmp for tmp uploads,sessions etc and script kiddies oftenly use this location for "bad things". So can you update me does and how Hiawatha take care of this ?


Hiawatha version: 7.6
Operating System: Debian
Hugo Leisink
15 September 2011, 20:48
Sure. Hiawatha has a 'working directory'. In this directory, the unix sockets for FastCGI are stored, a directory with temporary data for the Hiawatha Monitor and a directory for file uploads (PUT requests). The default location of this directory can be found in the manual (is installation dependent). For Debian, it's /var/lib/hiawatha. You can change this to /tmp/hiawatha via the WorkDirectory setting.
WorkDirectory = /tmp/hiawatha
15 September 2011, 21:07
And what are default permissions on that directory ? Does same apply to 'regular' CGI too or just FastCGI ?

Hugo Leisink
15 September 2011, 21:15
drwx------ www-data:www-data for WorkDirectory
drwx------ www-data:www-data for monitor subdirectory
drwx-wx-wt root:root for upload subdirectory

'regular' CGI doesn't use unix sockets, so it's FastCGI only.
15 September 2011, 21:19
Okay.. got it. So to sum up.. Running Hiawatha on "non-secured" /tmp is better that running other servers in same setup or.. ? : )
Hugo Leisink
15 September 2011, 21:22
Only thing I can say is that I did my best to make Hiawatha secure. I don't know the 'other servers' that well to judge them. I leave that up to people like you.
15 September 2011, 21:28
Well if you sleep tight at night I bet I can do it too.. : ). Even tho I have 0 experience when it comes to coding (to check your code skills eh.. : ) ) I like options that Hiawatha offers
Hugo Leisink
15 September 2011, 21:35
Well, what can I say. Because I claim that Hiawatha is secure, I receive a lot of 'visits' from people who want to test that. I even challenged several people who said that I shouldn't claim Hiawatha is secure until I gave them some proof. My challenge to 'proof me wrong' never let to any hack. All my websites are still running fine, they never got defaced. Yes, I sleep very well at night. And when there is another Apache vulnerability found, there is even a big smile on my face all night long.
This topic has been closed.