well, let's take a look : )

take a simple script secure.pl: 

#!/usr/bin/perl -w

use strict;
use CGI qw(:standard);

my $string = 'this is the string.';

print header;

print qq!
<HTML><HEAD><TITLE>DUH</TITLE></HEAD>
<BODY>$string</BODY></HTML>
!;

[download]

Let's give it 711...oops. We get error 500 from Apache. Why? Because the file is now -rwx--x--x, which means the owner (first three bits after leading -), can read 'r', write 'w', and execute 'x' it, anyone else in the owner's group (represented by the next three bits, note that only the 'x' is there meaning the other two abilities are denied to the group) can execute it and general public can execute it. But what that means is that the account which Apache runs under - typically and rightfully nobody - cannot read the file, only execute it. But a lot of good it does to execute a Perl script you cannot read...

When we try 744, we get the Forbidden message from Apache. now the file is -rwxr--r--, which mean the owner can still do anything but the group and world can only read it. So Apache gets a chance to see the file but can not execute the code within.

finally i set it to 755(-rwxr-xr-x) and it all goes well because nobody, in fact every one on the system, can read and execute the file.

What it boils down to is that the account which runs the webserver is given no special privalege to the files containing your Perl code. So that means the account who runs the webserver (again, typically nobody) must have both read and execute permissions on the file involved. So, the amount of security you provide on the files themselves is determined by whom and how people have access. I have known people who give ownership to all production scripts to nobody and set them all to 500(-r-x------). That way the scripts in production can ONLY be run and read by the webserver and anyone who sees them through the webserver (all black hatting aside).

Most of the time, though, when it comes to CGI security, the files are not the first concern. You seem to be aware of that from your statement that this is a simple program, which seems to say "I beg you not to spout off about taint checking". I respect that. : ) I hope this is helpful.

"sometimes when you make a request for the head you don't
want the big, fat body...don't you go snickering."
                                         -- Nathan Torkington UoP2K a.k.a gnat

In reply to (jptxs) Re: Secure Permissions? by jptxs
in thread Secure Permissions? by footpad

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.