Link to home
Start Free TrialLog in
Avatar of alex1234
alex1234

asked on

files permissions

I have a CGI program under unix under "public_html/cgi-bin" and a file "public_html/_private/db/db.dat" that this program reads/writes.

The question:
what are the right permissions for "public_html/_private/db" and "public_html/_private/db/db.dat" not to be visible/accessible from outside world?
Avatar of Peewee
Peewee

alex1234,

your cgi-bin will be protected from the outside world anyway. You should consider putting your data(public_html/_private/db/db.dat) under the cgi-bin as this has the protection built in, ie it was designed for this.

reagrds Peewee
ASKER CERTIFIED SOLUTION
Avatar of Peewee
Peewee

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
alex1234,

Possible Solutions:

cgi-bin:
========
put all data inside the cgi-bin and use the built in protection. therfore permsissions here would be:  rwxrwxr-x.

non cgi-bin:
============

ensure all scripts have the same group as apache does, hence you give access to anyone who is on the same grouping as you.  Anyone outside this grouping will not have acess, therfore permsissions here would be:  rwxrwx---. You could also place index.html files in these directories to stop people viewing the contents of the directory.


conclusion:
===========
recommend that to save alot of time and effort stick to using the cgi-bin and below this, you can of course choose to use a symbolic link on unix systems if you would like your private directory physically located elsewhere but operating under the cgi-bin.

let me know if you need more help.
regards Peewee
Avatar of alex1234

ASKER

Peewee,

<your cgi-bin will be protected from the outside world <anyway

it has 755 - includes group/public read. I want my data not be even 'readable' from outside world. Completely. How?

alex1234,
the outside world cannot access the contents of the cgi-bin directly - hence the permissions are quite safe there, and may in fact be needed as tapache may not be the owner, or on the same group as the scripts, hence apache may execute the scripts as the last set of permissions, ie thhe 5 and either of the 7's (755 permissions).

the data is not accessible in the cgi-bin, try in and see, put a text file in the cgi-bin, give these permissions and try access it by the browser.  Then try the same but in the html sections and try and access it.

you will see that your text file will be displayed in the html bin but not in the cgi-bin.

regards Peewee
I just did a test - I put a simple html file into "public_html/cgi-bin" and I CAN assess it with the browser! Why?
alex1234,

this is due to the configuration of apache.

a standard cgi-bin is thus:

ScriptAlias /cgi-bin/ "/home/httpd/cgi-bin/"

<Directory "/home/httpd/cgi-bin/">
    AllowOverride None
    Options ExecCGI FollowSymLinks
    Order allow,deny
    Allow from all
</Directory>


your configuration will be an extra cgi-bin for all unix users:
 UserDir public_html
    489
    490 # Control access to UserDir directories.  The following is an example
    491 # for a site where these directories are restricted to read-only.
    492 #
    493 <Directory /home/*/public_html>
    494     AllowOverride FileInfo AuthConfig Limit
    495     Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI
    496
    497     #<Limit GET POST OPTIONS PROPFIND>
    498         #Order allow,deny
    499         #Allow from all
    500     #</Limit>
    501     #<Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
    502     #    Order deny,allow
    503     #    Deny from all
    504     #</Limit>
    505 </Directory>


hence the configuration is different.  You will need the former configuration not the latter.

are you bale to change your configuration?

regards Peewee
   
This is not my server - it is my internet service provider's one. Should I ask them or I can do it myself?
alex1234,
the problem is that the home/*/public_html is set up for html pages and cgi-bin use and for more security you need one foreach.

you should request a more secure service from your Internet Service Provider, in particular if you are paying for this service.

failing this you can hide the contents of your directories by placing an index.html file in each directory. This will not stop people accessing your secure data, but will stop them from knowing what your file names ares, hence making it very difficult to do so.

regards Peewee
Thanks,  I'll do this.

The last question:

is my public_html a user/password protected for FTP only? Does this mean, that in the current server configuration anyone can examine the contents of all files under "public_html" and its subdirectories using HTTP?
alex1234,

q):
is my public_html a user/password protected for FTP only?

a):
yes basically, to access your public_html on the command line or via ftp, a user would need your username and password which they wont have.

q):
Does this mean, that in the current server configuration anyone can examine the contents of all files under "public_html" and its subdirectories using HTTP

a):
yes they will.

This is not a good thing because all text files will be dispalyed on the browser and all directory contents will also be displayed, this leaves you quite vunerable.

You can get around this in a sneaky way.  

If you make a directory public_html/_private/test
put some files in here not including an index file you will get a list of the directory - this is a bad thing.

However, if you put an index.htm page in there now, then this will be displyed, hence no one can find out the name of your files by http.

regards Peewee
alex1234,

glad to be of help

regards Peewee