Solved

rwx setting

Posted on 2002-05-24
21
262 Views
Last Modified: 2010-04-20
Hi Experts,

just got 2 simple questions to ask:

1) if i set a directory to be drw-r--r-- i'll get "403 forbidden" error. but if i set it to be "drw-r--r-x" i'll be able to view its contents. why is that? coz it's counter-intuitive to me. my understanding is: r stands for read, so i should be able to read the directory's contents.

2) there's a file "abc.tar.gz" that has been set "-rw-r-----". but i found out that i'm still able to click on it and download it. by setting "-rw-r-----" i tried to let people know a file called "abc.tar.gz" exists but not downloadable. so how can i let people know this file exists but disallow them from downloading?

Thanks,
KEN
0
Comment
Question by:ken021600
  • 10
  • 5
  • 5
  • +1
21 Comments
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
1) "403 forbidden" is from within your browser, right?
  The webserver changes (cd) to the directory to read the files, Without the x-bit set it cannot cd, but read.

2) chmod 000 abc.tar.gz
0
 

Author Comment

by:ken021600
Comment Utility
hi nice to see you again!

regarding my second question, i found out that it will work if i set its mode to "chmod 700 abc.tar.gz". but the file will become downloadable if i set either "701" or "704"!

so could you tell me why both "704" and "701" could make the file downloadable?

and one more quick question: under windows we can use "putty" to do secure telnetting, so what should i use under Linux? i mean what's putty's counterpart for Linux?

Thanks,
KEN
0
 

Author Comment

by:ken021600
Comment Utility
hi there,

i've got some more to ask and i've increased my points.

1) i've put a flash file (xyz.exe) on my site and i've set its mode to be 755. but when i click on it, a small window pops up asking me to download it. so how can i set it so that when people click on that file, the flash will run automatically?

2) (this question has something to do with question 1) it is said that it's bad to give people "w" and "x" permissions. but i've tried to set xyz.exe to be 777 and when i click on this file, i always get that popup windows asking me the path to download this file. i can't see where the dangers are------how people can possibly modify contents or even delete it from my website?

Thanks,
KEN

0
 
LVL 15

Expert Comment

by:samri
Comment Utility
ken,

sorry. to interrupt.

#1. I think it has to be done at the client side (browser config).  What you need to do is to configure the Helper program to "Run" the application, instead of "Asking" what to do.  If I recall, if you are using IE, the if you click some unknown (or new) file type, you will get a pop-up box, which you can either save, of Open the apps using certain application.

#2. I think it more of understanding on how Unix file permission works.  The my knowledge, the 3 bits - owner,group,others.  rwx 4+2+1.  So for each file (or dirs), access are depending on the attributes assigned to the file.  Remember that a file can be owned by anybody on the system, and when the webserver is running it will be running as some userid (Apache for example will run as Apache, but some system it will be running nobody).  With this notion, Apache process by default.

Back to your question, it will be straight forward if somebody can access your server with Apache id (telnet,ftp, rsh, etc. etc), and modify the content.  Or they could manipulate the CGI code to do such.  It's not going straight-forward, but it is possible.
0
 

Author Comment

by:ken021600
Comment Utility
Thanks samri,

i've tried both clicking left button and clicking right button. none of the options in the popup menu lets me run this exe program rather than saving it to my hard disk...so i'm waiting for your further help.

as to the security concerns of setting 777, i'll give it a try and see if i'll be able to have a look at someone else's mode setting......i'm currently running Linux, and i don't know what putty's counterpart for Linux is, so i'll have to reboot to Windows and use putty to do it. it may take a while before i can get the answer, so please bear with me for a while.

and i'm waiting for feedback to the question i asked after ahoffmann answered my initial 2 questions.

Thanks for your help,
KEN
0
 
LVL 15

Expert Comment

by:samri
Comment Utility
Ken,

Setting up the helpe apps would depends on what browser you are running.  For Netscape 4.78 for example, you need to go to "Edit | Preferences | Navigator | Applications".  From there, you can select the Application to modify the existing one, or create, or delete. For IE, .. heck, I have no idea.  I think it depends on Windows Explorer File Types setting.

yeah.  given the experience he (ahoffman's) has, I would be waiting for mroe "firm" answer myself.  In fact, I am cutting the conversation -- just feels like adding someting :)

good luck.
0
 

Author Comment

by:ken021600
Comment Utility
Hi samri,

yes i found out it's dangerous to set modes like 777, coz they usually put all users under a directory and everyone is able to have a look at how other people set their files' modes.

but anyway, if you do nasty things to someone else's file you still could be traced... can an system administrator trace someone who logged in as an anonymous ftp user??

regarding your suggestion to configure netscape, could you be more specific? i'm running Netscape 6. edit-->preferences-->navigator-->helper applications. from there i clicked "new type" and a window pops up, asking me to input:
1) description of type
2) file extension
3) MIME type
4) application to use

i punched in "program" for the first one, "exe" for the second one BUT i don't know what i should fill in to "MIME type" and "application to use". any advice?

as to IE configuration, i have to wait for someone else's help as i have no idea either. :(

Thanks,
KEN
0
 
LVL 15

Expert Comment

by:samri
Comment Utility
ken,

yes, if the logging is enabled.  On most system, check the file xferlog in /var/adm, or /var/log.  However, I think if anonymous ftp will be configured in chroot environment where access are restricted to certain configured directory tree, and it is quite safe.  But still having 777 permission would be a big NO.

Netscape 6... Hmm.... tried it, damn slow, revert back to 4.78.

Try to look for similar entries.  Another way; I think the first time the browser see a new file-type, the pop-up box will appear, and you will have an option of either to save it, or use certain apps to open the file.  I think this setting will be used should the same file-type (extentension) is found.

1) description of type - Just use any description, short and precise.  "Text File" for example
2) file extension - The extension, "TXT", without the dot (.), and you could add a few, JPG JPEG
3) MIME type - The file mime type.  I think it wont bother much.  Try to look for example.
4) application to use - THe external apps that you want to use to open the filetype.  THis is what will be spawned when you clicked on the specified file.


Be careful on assigning Apps to executable file type.  EXE BAT COM, VBS, etc.  are dangerous.  By assigning it to be "automatically" executed, somebody could create an EXE file to "DELTREE C:\" would sure create some havoc if the browse automatically executed them.  

I think for IE, it is configured via Windows Explorer | File Type association.  

What you can test is to create some type, maybe .TEST, and make it text/plain for MIME type, and use NOTEPAD.EXE to open the file.  This should get you started.

You could get some listing on mime types in apache config dir.  The file would be mime.types.

and again , be careful in assigning apps to EXE COM BAT SCR, VBS, -- any executable.  Unless you are sure what is happening.

cheers.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 50 total points
Comment Utility
as samri already said:

1) this must be done on the client browser: you need to add a helper application for the MIME type and/or file extension
**I don't receommend to do that for *.exe ** for obvious reason

2) you only need an r-bit for the file, for example:
   chmod 400 xyz.abc
   but the file (xyz.abc) must be ownd by the user used for running apache (httpd), this is usually nobody or wwwrun
   no more permissions are necessary
   (most things about security are still described by samri)
----

about putty:
  use ssh and scp on Linux

0
 

Author Comment

by:ken021600
Comment Utility
Hi,
sorry been busy, so haven't gotten the time...

well, it seems i've got what i want and it's the time to finalize this post.

just one more quick question:
i downloaded ssh package and had a read about installation. it is said that i need "zlib" and "ssl" installed first. i had a search and found these two little things. BUT the ssl installed on my linux is a bit old and OPENSSH's installation instruction did mention that old ssl version would cause something(sorry can't remember its name) to not work properly. so it seems to me that i have to install a newer version of ssl. then when i tried to remove ssl through a package management tool(rpmpackage?), i got a warning saying that if i remove ssl, some other packages will be moved as well---which was a long list.

so, will it be possible to upgrade my ssl without hurting anything? how can i do it?

KEN
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
all these package manager suck, unfortunately :-((

It's possible to replace openssl without removing other, dependent packages.
Just get the sources and compile yourself, or install the binary files (mainly libraries) manually.

BTW, ssh can be use without zlib and openssl, you just miss the compress and some cryptographic functionality.
0
 

Author Comment

by:ken021600
Comment Utility
well...

i was told by a guy who is sort of a computer guru that it is VERY important to do package management, otherwise you'll leave your whole system a mess.

and i didn't quite catch what you meant. are you saying we don't need package management, or we do need package management but many package management tools are no good? if the latter, please give me an idea which package management tools are worth trying.

Thanks,
KEN
0
 

Author Comment

by:ken021600
Comment Utility
well...

i was told by a guy who is sort of a computer guru that it is VERY important to do package management, otherwise you'll leave your whole system a mess.

and i didn't quite catch what you meant. are you saying we don't need package management, or we do need package management but many package management tools are no good? if the latter, please give me an idea which package management tools are worth trying.

Thanks,
KEN
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
It's not up to me to comment your "guru"'s opinion ;-)
If you're not familar with UNIX/Linux systems administration, then package managers are the way you should do it (doesn't mather which one, most common is rpm).
If you're used to admin Linux, know where all the files go, and should go, know how to install your compiled software, even that you got as source package, then you're most likely lost with any package manager.

IMHO they are useless, cause they only know about packages installed by themselfs. They store this information, according twith the package dependencies, in a proprietary database. If you install somthing without, or with another package manager, the database is out of sync with reality. That's the culprit.
Another dragon to beat with them is what you described: package manager claim to know things better than admins, sometimes, somehow, ...

Again, if you're not used to administratin in detail, use package managers 'cause that make things simple and stable for you. But then you have to life with its restrictions too.

So, this is all off-topic to the question here. Can we please return to the focus of this question.
0
 

Author Comment

by:ken021600
Comment Utility
K. i'll finalize this question now. but i think maybe i should give samri some points too, coz he gave me some useful comments too.

so how can i split the points?
KEN
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
well, the grading goes to the most helpfull answer, not a person :-)
Or ask support @ EE to split the points, if more than one comment helped you.
0
 
LVL 15

Expert Comment

by:samri
Comment Utility
sorry guys, just came back from emergencies. :(

Pkg manager.  Good if you prefer to go by the book.  Manuall installation of pkg should work, or even copying binaries of similar platform should be working too.

the Pts part.  I *sadly* had to agree with ahoffman on that, since when you clicked on "Accept comment as Anwer", that will be the focus when the Question becames PAQ.

Personally, I would believe that pts (here in EE) should be a token of appreciation, on how the members had contributed.

It's not a big deal anyway.  Personally, getting one problem solved is part of "learning" process too (to me).  And it's great to know that the comments do make life easier to some people.

cheers.
0
 

Author Comment

by:ken021600
Comment Utility
Hi ahoffmann and samri,

i've sent a mail to EE inquiring how to split points and haven't gotten any feedback. Once i get the reply i'll do the splitting and finalize this question. OK?

Thanks again,
KEN
0
 
LVL 15

Expert Comment

by:samri
Comment Utility
ken,

I think it will be much faster if you post a 0-pts question in Community Support (http://www.experts-exchange.com/commspt/), and ask for assistance.  Just describe what needs to be do, and the Moderator should be able to assist.  Don't forget to mention the Question # (http://www.experts-exchange.com/linux/Q_20304527.html)  (copy-paste the link should be OK).

cheers.
0
 
LVL 1

Expert Comment

by:Computer101
Comment Utility
I have reduced the points for the split.  Now you can accept an experts comment as an answer.  After that, make another 50 question for the other expert in this topic area.

Computer101
E-E Moedrator
0
 

Author Comment

by:ken021600
Comment Utility
Thanks a lot and see you next time!

KEN
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now