Solved

File permissions - cgi etc

Posted on 1998-09-03
9
619 Views
Last Modified: 2013-12-16
As a complete Unix newbie who's just been given the keys to a virtual server, I'm confused by file permissions for cgi scripts.  Having set up my cgi-bin directory and uploaded some scripts, I can't work out which chmod setting to give them.  And how do I prevent access to the directory while still permitting the right level of access to the scripts?  Can I just password protect the directory using the .htaccess file, or will that prevent access to the script functions?  I've been given several conflicting opinions on this, so I need an answer that is guaranteed to work (ideally one that someone can show me is working on their own server).
0
Comment
Question by:Polemic
9 Comments
 
LVL 4

Expert Comment

by:jlms
ID: 1812156
For scripts that have to run you can give permissions like this:
711  read, write an execute for the owner and execute for th rest of the world.

511 read for the owner of the script an execute for the rest of the world.

111 execute for everybody, no read or write permission.

Now, to block access to the directory (understanding access like the possibility to modify things in the directory) youc can change the permissions of the cgi-bin directory to:

755 that is owner can modify, but the rest of the world can change to the diretory but cannot modify anything inside the dircetory.

You can use these numeric values for chown or the equivalent letter codes.


0
 

Author Comment

by:Polemic
ID: 1812157
jlms:

Okay, so which permission, specifically, should I use for:

- form to mail
- polling
- www board
- html chat
- visitor logging

and similar scripts?  Is making them only executable for the rest of the world (711) okay?  What if the script in some way needs to  create or update files?  I was told they'd then have to be 777.

755 seems to be the general consensus for the directory, but I'm getting conflicting advice for the scripts themselves.

You'll have to excuse my ignorance here, but we may as well be speaking a foreign language, and I need a sure-fire guaranteed-to-work answer where I can install a script not have to guess the correct chmod.



0
 

Author Comment

by:Polemic
ID: 1812158
I've rejected jlms' answer because I need a definitive response.  I'm not equipped to choose between three or four options because I don't have sufficient understanding of the likely effects.  What I need is someone to tell me either "install them and chmod them xxx" or alternatively a list of "if... then..." answers which will allow me to easily choose which chmod setting to use on a particular script.  jlms, you're welcome to re-submit your answer in this form, but having not heard from you for a few days I felt it only fair to let others have a go at answering.
0
 
LVL 1

Expert Comment

by:TSchock
ID: 1812159
Permissions
"How do I stop people who are not in my group from reading a directory?"
Type chmod o-r directory while you are in the directory above it.
"How do I stop people who are not in my group from writing to a directory?"
Type chmod g-w directory while you are in the directory above it.

How do I run my own CGI programs?
Put your CGI programs in the cgi-bin directory you will create in any directory. Make sure you upload them in ASCII mode.
Change permissions to 755 for the script (chmod 755 script-name)
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:Polemic
ID: 1812160
Sorry, but this isn't the comprehensive answer I'm looking for.  What is my "group"?? As I said I have no real knowledge of this topic at all, and need a kind of if... then... or something else to which I can refer.

I have the directory, and I have its permission set to 755.  What should I do with the scripts in it?  Do different cgi scripts need different permissions?  If so, how do I determine what permission to set and exactly what is that permission, in the format "chmod XXX" please?

And is it necessary, having set permission on the directory to 755, to restrict access to it via .htaccess, or will that prevent the scripts inside it from being executed?

0
 
LVL 1

Expert Comment

by:turnkey
ID: 1812161
Polemic:

What web server are you using (e.g. Apache, NCSA, etc.)?

Where are your htdocs run from (e.g. /var/www/domain/htdocs)?

Where are your cgi's run from (e.g. /var/www/domain/cgi-bin)?

Once I get an answer, I will post the exact syntax for you to type in order to protect your server, the cgi's, etc., etc.

Regards,
turnkey
0
 

Author Comment

by:Polemic
ID: 1812162
turnkey:

I'm told it's an Apache server.  That's all the info I was able to get from the manual - if you need more, tell me what commands to enter to get the server to list the version etc etc.

Now, paths:
ht docs: usr/local/etc/httpd/htdocs/polemic
cgi's: usr/local/etc/httpd/htdocs/polemic/cgi-bin
perl: /usr/bin/perl

I finally got some scripts running, but only by deleting the .htaccess file from the cgi-bin directory.  Keeping it there was giving me "500 Server Error" messages.

And I'm still getting conflicting advice from the various scripts readme's as to the right chmod - most seem to say 755, with the odd data.txt file and suchlike to 777, but others say different.

Hope that's what you wanted to know, turnkey.  If not, I'll do my best to track down other relevant info if you give me some idea how to get it.

Thanks, Polemic

0
 
LVL 1

Accepted Solution

by:
turnkey earned 150 total points
ID: 1812163
Polemic:

Great, the Apache webserver is the most widely used on unix operating systems.  The Apache webserver is usually run as user "nobody" and group "nobody" (this is the default and is configured by the httpd.conf file located in /usr/local/etc/httpd directory).  Below is a step-by-step outline on configuring your directories, files, cgi's, etc. to get everything working properly.  You do not need to password protect the cgi-bin directory (with .htaccess and .htpasswd directives) because Apache forbids browsing access within the directory by default.

Enter the commands into your system EXACTLY as I have listed below (without the # prompts, of course) and hit <RETURN> after each command.  You need enter these commands as the root user.  

Alright...Here we go:

1).  Change to the polemic directory by typing the following:
     #cd /usr/local/etc/httpd/htdocs/polemic

2).  Change permissions on the sub-directories by typing:
     #chmod 755 *

3).  Change permissions on the "." and ".." dirs by typing:
     #chmod 755 .
     #chmod 755 ..

4).  Change to the cgi-bin directory by typing:
     #cd cgi-bin

5).  Change permissions on the files in the cgi-bin by typing:
     #chmod 755 *

6).  Change group/owner of your cgi scripts to nobody/nobody.
     Doing this ensures that the Apache web server (which, as
     mentioned above, runs as user "nobody" and is a member if
     the group "nobody") is the only user that is actually given
     full access to the cgi scripts.  You should substitute
     "my.cgi" with the actual name of your cgi script file.
     Repeat the commands for each additional cgi script that you
     have currently or after you install any new scripts
     (e.g. mailform.cgi, polling.cgi, chat.cgi)
     #chown nobody:nobody my.cgi
     #chmod 755 my.cgi

7).  Just to be sure, let's verify that your htdocs files are
     also set to the correct permissions.  Type:
     #cd /usr/local/etc/httpd/htdocs/polemic/htdocs
     #chmod 755 .
     #chmod 755 ..
     #chmod 666 *

8).  O.K., that's everything.  Basically, what we've done is ensured that the cgi's can only be manipulated by the user nobody.  The scripts will interact with other binaries as written without problem.  You should now re-start the Apache web server so that the changes in permissions are seen by Apache.

If you have any questions or problems, please let me know ASAP.

Regards,
turnkey
0
 

Author Comment

by:Polemic
ID: 1812164
Thanks turnkey.  The only problem I'll have with this is that I doubt very much that they'll restart the server for me because other sites are on it as well and they're always telling me that I mustn't do anything to interrupt their service.  But that's not your fault - it's a comprehensive easily understandable answer that even I can understand!  Thanks.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AngularJS directive issue 6 63
UNIX SCP 5 64
to update from RHEL 6.0 to 6.8 anything needed other than "yum update"? 7 86
Solaris 4.1.3 cloning and booting 13 70
This article covers the basics of the Sass, which is a CSS extension language. You will learn about variables, mixins, and nesting.
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now