To answer your question: Correct.

You generally want it "u=rwx,og-rw" (711 in numeric) unless you are sharing job duties with someone else and making use of the group assignment.

To go into too much detail: the execute bit on directories means that you can access any file within the subdir so long as you already know the name of it. The read bit is what allows you to browse the directory entries. You had correctly deduced this.

Try changing the perms on your scripts to the same (711) and see if they'll still work with the webserver. I'm not sure if the server needs to _read_ the files or if it just executes them. If you change and it still works, then you've kept other accounts from copying your scripts.

A quick tutorial on chmod.. a means "all", o for "other", u for "user", g for "group". You can do a "chmod a+r,og-w ..." to give everyone read permission and take away write perm to "other and group". You can use numerics, like "chmod 644..." (does the same as a+r,og-w for non-execute-bit objects, like webpages).

The numbers I used above are simple octal (0-7, three bit) figures. Just add up what you want to get the number.

x (execute) = 1
w (write) = 2
r (read) = 4

If I want "rw" for myself and "r" for group and other, that would be 2+4 (myself, "user") and 4 (group) and 4 (other), or "644". a "ls -l" would show "-rw-r--r--". Don't add up the 6+4+4 and make it 14. chmod won't know whether that was from a 644 or a 464 or whatever. It'll assume you want 014 (g=x,o=r), which is rarely useful.

For directories, the same applies, but you have to add x to everything to make it useful. That permission number would be "755" and look like the standard "-rwxr-xr-x".

Rob++

Thanks, I was forced to try and figure some of it out last night but it was half guesswork :) I'll have a go later thanks for the detailed advice.

It was interesting exercise though, because of the way different hosts treat it. One host seems to have a script running that will periodically fix permissions (nice), the other dont and when they set up the account seem to basically leave it open to anyone else. The final host is a puzzle, if I make a perl script executable by all (and rwx for me) the server wont execute it. It gives an internal server error and the log says "Can't open perl script "/path/cgi-bin/script.pl": Permission denied", it will only work if I make it both executable and readable by all :(.

Anyway thanks for the info I will dig into it later when I have a chance.

Ok, i'm fairly clear on this now. My only problem is the one host I use, my scripts wont run when chmod to 711 i.e
-rwx--x--x
They will only work with read permission given to all i.e
-rwx--xr-x

As far as I can see this still means that others can read those scripts :( can anyone see a solution?

Thanks.

Your best bet is to see if you can lock down that cgi-bin subdir or get in a group with the html server (that others aren't in).

Rob++

I would contact your hosting provider. This really shouldn't be something that you can do on a virtual host if they set it up correctly.

I was once with a UK host (no names no pack drill) who had a very strange set up - all cgi was hosted on a seperate server rather than in your main virtual host. This caused the problems TPK describes (plus many others) and I never found a way around it.