Sawmill Documentation
Technical ManualFAQUser GuideWWW Sawmill

FAQ: CGI User Permissions


When I run Sawmill as a CGI, it runs as a special user (nobody, web, apache, etc.). Then when I want to use Sawmill from the command line or in web server mode, the permissions don't allow it. What can I do about this?

Short Answer

Loosen the permissions in the Preferences, or run your CGI programs as a different user, or run your command line programs as the CGI user.

Long Answer

For security reasons, UNIX web servers often run CGI programs as a special user, often user nobody, or user web, or user cgi, or user apache. When you run Sawmill in CGI mode, it runs as this user, and any files it creates are owned by that user. This can cause problems if you later need to run Sawmill as a different user, for instance to run a command-line database update-- the files which were created as the CGI user will not be accessible to the non-CGI user, and you will get errors about Sawmill not being able to read or write certain files.

There are several possible solutions to this problem:

  1. You can run your command lines as the CGI user. This is often the easiest solution. Of your CGI user is user nobody, then use "su nobody" to change to user nobody, and then run your commands as that user. Since both the CGI version and the command-line version will be running as the same user, there will be no permissions issues. You may need to configure a password, shell, and home directory for user nobody before you can log in as that user, which will require root access. This option is slightly insecure because giving user "nobody" a home directory and a shell makes it a slightly more powerful user; if the purpose of using "nobody" as the CGI user was to run CGI programs with a powerless user, this circumvents that security somewhat.

  2. You can run your CGI program as the command-line user. If your username is "myself", then you can reconfigure your web server to run CGI programs as that user, rather than the user it's using now. You may even be able to configure the server to run only Sawmill as that user, while continuing to run other programs with the usual CGI user. Because both the CGI version of Sawmill and the command line version will be running as user "myself", there will be no permissions issues. This may be difficult to configure, however; see your web server documentation for instructions on how to configure your server to run CGI programs as a different user. On some servers, this may not be possible.

  3. You can change the permissions of the files that Sawmill creates, by editing the permissions options in the Preferences. This is usually an insecure solution, however, since you'll need to loosen many of the permissions to 777 (everyone can read, write, execute/search), which makes your files vulnerable to modification by unauthorized users on the machine. This option may be acceptable, however, if access to the machine is limited to authorized users; i.e. if the only ones who can log in by telnet, SSH, FTP, etc. are those who are trusted Sawmill administrators.

Any one of these solutions will work; you do not need to do more than one of these.