711 won't work because although you're making it executable for owner, other, and everyone, it won't work unless you also give "read" permissions to everyone. (At least, this is in my experience... someone please correct me if this is different under some combinations of Apache and *nix.)
755 is your best bet. This makes your code both readable and executable by all, and that is the minimum requirement for someone to use it via a webserver. "Everyone" has to be able to run it, and "everyone" has to be able to read it. You have to open the barn doors like that or no one would ever get the benefit of your wonderful widget. There's no security hazard in giving read access to an executable script, because unless you have a badly configured Apache server any accesses to an executable file will execute the code and not display your source, so you don't have to worry about Everyone just "reading" your CGI. (Of course, this doesn't apply to people who actually have legitimate accounts on the webserver. They count as "everyone" too and they'll be able to cat your source code.)
The security issues here do not lie with access to your CGI, but rather in ensuring that your CGI cannot do anything beyond what it's suppossed to do. This can be an easy thing to do (as in your example of a simple hex/dec converter, where the only thing the CGI does is spit things back to the browser) to more complex things that involve writing to files on the server or updating databases or such. The Evil that Bad People do with your CGI is limited by the access and actions that your CGI has; the more narrowly focused your task, the fewer options Bad People have to abuse your code.
Gary Blackburn
Trained Killer
In reply to Re: Secure Permissions?
by Trimbach
in thread Secure Permissions?
by footpad
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |