Welcome to WebmasterWorld Guest from

Forum Moderators: bakedjake

Message Too Old, No Replies

Preventing files from being read by other users.

security concern.



10:58 pm on Jul 24, 2001 (gmt 0)

10+ Year Member

On one host I have noticed that once logged in via telnet you can read any user file, yes that means that someone else by virtue of having an account on the same server can read/copy my scripts/logs/customer data etc..

I've played a little with chmod but i'll admit that i'm not really familiar with it. I've restricted file permissions to user=rwx, but I have to give read access to all to have the pages served. I suppose this isnt too much of a problem with html files (apart from SSI's being visible which doesnt matter).

Would I be right in saying that my cgi-bin directory will function correctly only having executable set for all?

Tips and advice welcome, thanks.


4:05 am on Jul 25, 2001 (gmt 0)

To answer your question: Correct.

You generally want it "u=rwx,og-rw" (711 in numeric) unless you are sharing job duties with someone else and making use of the group assignment.

To go into too much detail: the execute bit on directories means that you can access any file within the subdir so long as you already know the name of it. The read bit is what allows you to browse the directory entries. You had correctly deduced this.

Try changing the perms on your scripts to the same (711) and see if they'll still work with the webserver. I'm not sure if the server needs to _read_ the files or if it just executes them. If you change and it still works, then you've kept other accounts from copying your scripts.

A quick tutorial on chmod.. a means "all", o for "other", u for "user", g for "group". You can do a "chmod a+r,og-w ..." to give everyone read permission and take away write perm to "other and group". You can use numerics, like "chmod 644..." (does the same as a+r,og-w for non-execute-bit objects, like webpages).

The numbers I used above are simple octal (0-7, three bit) figures. Just add up what you want to get the number.

x (execute) = 1
w (write) = 2
r (read) = 4

If I want "rw" for myself and "r" for group and other, that would be 2+4 (myself, "user") and 4 (group) and 4 (other), or "644". a "ls -l" would show "-rw-r--r--". Don't add up the 6+4+4 and make it 14. chmod won't know whether that was from a 644 or a 464 or whatever. It'll assume you want 014 (g=x,o=r), which is rarely useful.

For directories, the same applies, but you have to add x to everything to make it useful. That permission number would be "755" and look like the standard "-rwxr-xr-x".



8:51 am on Jul 25, 2001 (gmt 0)

10+ Year Member

Thanks, I was forced to try and figure some of it out last night but it was half guesswork :) I'll have a go later thanks for the detailed advice.

It was interesting exercise though, because of the way different hosts treat it. One host seems to have a script running that will periodically fix permissions (nice), the other dont and when they set up the account seem to basically leave it open to anyone else. The final host is a puzzle, if I make a perl script executable by all (and rwx for me) the server wont execute it. It gives an internal server error and the log says "Can't open perl script "/path/cgi-bin/script.pl": Permission denied", it will only work if I make it both executable and readable by all :(.

Anyway thanks for the info I will dig into it later when I have a chance.


9:38 pm on Jul 25, 2001 (gmt 0)

10+ Year Member

Ok, i'm fairly clear on this now. My only problem is the one host I use, my scripts wont run when chmod to 711 i.e
They will only work with read permission given to all i.e

As far as I can see this still means that others can read those scripts :( can anyone see a solution?



3:24 am on Jul 26, 2001 (gmt 0)

Your best bet is to see if you can lock down that cgi-bin subdir or get in a group with the html server (that others aren't in).



12:43 pm on Jul 26, 2001 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

I would contact your hosting provider. This really shouldn't be something that you can do on a virtual host if they set it up correctly.


12:48 pm on Jul 26, 2001 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

I was once with a UK host (no names no pack drill) who had a very strange set up - all cgi was hosted on a seperate server rather than in your main virtual host. This caused the problems TPK describes (plus many others) and I never found a way around it.

Featured Threads

Hot Threads This Week

Hot Threads This Month