homepage Welcome to WebmasterWorld Guest from 54.227.11.45
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
Preventing files from being read by other users.
security concern.
theperlyking




msg:907738
 10:58 pm on Jul 24, 2001 (gmt 0)

On one host I have noticed that once logged in via telnet you can read any user file, yes that means that someone else by virtue of having an account on the same server can read/copy my scripts/logs/customer data etc..

I've played a little with chmod but i'll admit that i'm not really familiar with it. I've restricted file permissions to user=rwx, but I have to give read access to all to have the pages served. I suppose this isnt too much of a problem with html files (apart from SSI's being visible which doesnt matter).

Would I be right in saying that my cgi-bin directory will function correctly only having executable set for all?

Tips and advice welcome, thanks.

 

windsor




msg:907739
 4:05 am on Jul 25, 2001 (gmt 0)

To answer your question: Correct.

You generally want it "u=rwx,og-rw" (711 in numeric) unless you are sharing job duties with someone else and making use of the group assignment.

To go into too much detail: the execute bit on directories means that you can access any file within the subdir so long as you already know the name of it. The read bit is what allows you to browse the directory entries. You had correctly deduced this.

Try changing the perms on your scripts to the same (711) and see if they'll still work with the webserver. I'm not sure if the server needs to _read_ the files or if it just executes them. If you change and it still works, then you've kept other accounts from copying your scripts.

A quick tutorial on chmod.. a means "all", o for "other", u for "user", g for "group". You can do a "chmod a+r,og-w ..." to give everyone read permission and take away write perm to "other and group". You can use numerics, like "chmod 644..." (does the same as a+r,og-w for non-execute-bit objects, like webpages).

The numbers I used above are simple octal (0-7, three bit) figures. Just add up what you want to get the number.

x (execute) = 1
w (write) = 2
r (read) = 4

If I want "rw" for myself and "r" for group and other, that would be 2+4 (myself, "user") and 4 (group) and 4 (other), or "644". a "ls -l" would show "-rw-r--r--". Don't add up the 6+4+4 and make it 14. chmod won't know whether that was from a 644 or a 464 or whatever. It'll assume you want 014 (g=x,o=r), which is rarely useful.

For directories, the same applies, but you have to add x to everything to make it useful. That permission number would be "755" and look like the standard "-rwxr-xr-x".

Rob++

theperlyking




msg:907740
 8:51 am on Jul 25, 2001 (gmt 0)

Thanks, I was forced to try and figure some of it out last night but it was half guesswork :) I'll have a go later thanks for the detailed advice.

It was interesting exercise though, because of the way different hosts treat it. One host seems to have a script running that will periodically fix permissions (nice), the other dont and when they set up the account seem to basically leave it open to anyone else. The final host is a puzzle, if I make a perl script executable by all (and rwx for me) the server wont execute it. It gives an internal server error and the log says "Can't open perl script "/path/cgi-bin/script.pl": Permission denied", it will only work if I make it both executable and readable by all :(.

Anyway thanks for the info I will dig into it later when I have a chance.

theperlyking




msg:907741
 9:38 pm on Jul 25, 2001 (gmt 0)

Ok, i'm fairly clear on this now. My only problem is the one host I use, my scripts wont run when chmod to 711 i.e
-rwx--x--x
They will only work with read permission given to all i.e
-rwx--xr-x

As far as I can see this still means that others can read those scripts :( can anyone see a solution?

Thanks.

windsor




msg:907742
 3:24 am on Jul 26, 2001 (gmt 0)

Your best bet is to see if you can lock down that cgi-bin subdir or get in a group with the html server (that others aren't in).

Rob++

ggrot




msg:907743
 12:43 pm on Jul 26, 2001 (gmt 0)

I would contact your hosting provider. This really shouldn't be something that you can do on a virtual host if they set it up correctly.

sugarkane




msg:907744
 12:48 pm on Jul 26, 2001 (gmt 0)

I was once with a UK host (no names no pack drill) who had a very strange set up - all cgi was hosted on a seperate server rather than in your main virtual host. This caused the problems TPK describes (plus many others) and I never found a way around it.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved