Welcome to WebmasterWorld Guest from 188.8.131.52
Forum Moderators: bakedjake
I've played a little with chmod but i'll admit that i'm not really familiar with it. I've restricted file permissions to user=rwx, but I have to give read access to all to have the pages served. I suppose this isnt too much of a problem with html files (apart from SSI's being visible which doesnt matter).
Would I be right in saying that my cgi-bin directory will function correctly only having executable set for all?
Tips and advice welcome, thanks.
You generally want it "u=rwx,og-rw" (711 in numeric) unless you are sharing job duties with someone else and making use of the group assignment.
To go into too much detail: the execute bit on directories means that you can access any file within the subdir so long as you already know the name of it. The read bit is what allows you to browse the directory entries. You had correctly deduced this.
Try changing the perms on your scripts to the same (711) and see if they'll still work with the webserver. I'm not sure if the server needs to _read_ the files or if it just executes them. If you change and it still works, then you've kept other accounts from copying your scripts.
A quick tutorial on chmod.. a means "all", o for "other", u for "user", g for "group". You can do a "chmod a+r,og-w ..." to give everyone read permission and take away write perm to "other and group". You can use numerics, like "chmod 644..." (does the same as a+r,og-w for non-execute-bit objects, like webpages).
The numbers I used above are simple octal (0-7, three bit) figures. Just add up what you want to get the number.
x (execute) = 1
w (write) = 2
r (read) = 4
If I want "rw" for myself and "r" for group and other, that would be 2+4 (myself, "user") and 4 (group) and 4 (other), or "644". a "ls -l" would show "-rw-r--r--". Don't add up the 6+4+4 and make it 14. chmod won't know whether that was from a 644 or a 464 or whatever. It'll assume you want 014 (g=x,o=r), which is rarely useful.
For directories, the same applies, but you have to add x to everything to make it useful. That permission number would be "755" and look like the standard "-rwxr-xr-x".
It was interesting exercise though, because of the way different hosts treat it. One host seems to have a script running that will periodically fix permissions (nice), the other dont and when they set up the account seem to basically leave it open to anyone else. The final host is a puzzle, if I make a perl script executable by all (and rwx for me) the server wont execute it. It gives an internal server error and the log says "Can't open perl script "/path/cgi-bin/script.pl": Permission denied", it will only work if I make it both executable and readable by all :(.
Anyway thanks for the info I will dig into it later when I have a chance.
As far as I can see this still means that others can read those scripts :( can anyone see a solution?