in reply to Secure Permissions?

744 is equivalent to rwxr--r-- which won't work at all for CGI's, because CGI's must be executable by everyone, whereas 744 only allows execution by the owner, with read only privileges to "other" and "everyone".

711 won't work because although you're making it executable for owner, other, and everyone, it won't work unless you also give "read" permissions to everyone. (At least, this is in my experience... someone please correct me if this is different under some combinations of Apache and *nix.)

755 is your best bet. This makes your code both readable and executable by all, and that is the minimum requirement for someone to use it via a webserver. "Everyone" has to be able to run it, and "everyone" has to be able to read it. You have to open the barn doors like that or no one would ever get the benefit of your wonderful widget. There's no security hazard in giving read access to an executable script, because unless you have a badly configured Apache server any accesses to an executable file will execute the code and not display your source, so you don't have to worry about Everyone just "reading" your CGI. (Of course, this doesn't apply to people who actually have legitimate accounts on the webserver. They count as "everyone" too and they'll be able to cat your source code.)

The security issues here do not lie with access to your CGI, but rather in ensuring that your CGI cannot do anything beyond what it's suppossed to do. This can be an easy thing to do (as in your example of a simple hex/dec converter, where the only thing the CGI does is spit things back to the browser) to more complex things that involve writing to files on the server or updating databases or such. The Evil that Bad People do with your CGI is limited by the access and actions that your CGI has; the more narrowly focused your task, the fewer options Bad People have to abuse your code.

Gary Blackburn
Trained Killer

Replies are listed 'Best First'.
RE: Re: Secure Permissions?
by rlk (Pilgrim) on Nov 06, 2000 at 11:13 UTC
    CGI's must be executable by everyone

    AFAIK, this is configuration dependent. Commonly, Apache is often set up to run as the user 'nobody' (group 'nogroup'), and the scripts are owned by some user, i.e. 'webmaster', or possibly by root. In this case, the scripts must be world-executable, because the server is not running as the same user or group as the owner.

    However, this is not always the case. My personal webserver, for example, runs as the user 'httpd', and is a member of the groups 'httpd' and 'web'. My PHP pages (the same rules apply as for CGI scripts) are owned by user 'rlk' (me), and have group 'web'. Since the server is a member of group web, the pages need only be group-executable. One advantage of doing it this way is that some of the pages need things such as database passwords hard-coded into them, and if they were world readable (a script must be readable to be executable), then any user on my system could read the script, learn my mysql password, and trash my database.

    --
    Ryan Koppenhaver, Aspiring Perl Hacker
    "I ask for so little. Just fear me, love me, do as I say and I will be your slave."

[reply]

In Section Seekers of Perl Wisdom