Re: CGI scripts permissions
On Wed, 25 Dec 2002 19:39:58 +, [EMAIL PROTECTED] (Philip Pawley) wrote: I'm a newbie, so the below is a question: Is this problem of cgi permissions different when you are just running a perl script from a virtual include - as I am? Reading this thread, I did some tests and changed my script's permissions to 500 and it still works fine. (I first did it just for a test script of course)! I am just an ordinary user (in my own group) on the web server. How is this possible? You probably have suexec running on the webserver. mode 500 means that the user can read and execute the script. Normally the httpd daemon will be nobody/nogroup, or something similarly underprivileged. With suexec, you are letting the httpd daemon run as user/users. I said that it has it's drawbacks. That's why if you do use it for something important, make a separate user just to run that cgi script. Here is a little test script to run: First run it and see what you get, then go and rename /usr/sbin/suexec to suexec.bak and restart apache. Then see what you get. ### #!/bin/sh echo Content-type: text/plain echo echo Username=`whoami` ### -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts permissions
On Wed, 25 Dec 2002 05:34:04 +0200, [EMAIL PROTECTED] (Octavian Rasnita) wrote: Yes I know these, but ... it seems there is no solution. 1. The web server is not in the same group with me, and if it will be made to stay in the same group with me, the other users that have web pages on that server will need to be added to that group. 2. I saw that I need to give read permission also for a script to work, not only execute permissions. The only solution would be to run the Apache server with my user, but I don't know how to do that. How is this possible? Apache has the suexec program to do this. If suexec is in the path when apache starts up, then the httpd will run as user when in the user's home directory. This has advantages and disadvantages, but it is easily done. Normally apache will run as wwwrun/nogroup or nobody/nogroup, with suexec, apache will run as user/users when in users public_html. You can then run scripts at mode 700. It usually is best to set aside a dedicated user just for some cgi-program. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts permissions
I'm a newbie, so the below is a question: Is this problem of cgi permissions different when you are just running a perl script from a virtual include - as I am? Reading this thread, I did some tests and changed my script's permissions to 500 and it still works fine. (I first did it just for a test script of course)! I am just an ordinary user (in my own group) on the web server. How is this possible? Thanks, Philip Pawley -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts permissions
Hi, At 24-12-2002 18:09 +0200, Octavian Rasnita wrote: Please tell me what file permissions should I use for a CGI script. chmod 755 Can I deny other users to see the content of the cgi-bin directory (chmod 700) and chmod 755 only the files? Put a index.cgi in your cgi-bin directory that routes the users to your homepage. I did this whith all my directories with no index.html in it. Begin index.cgi #!/usr/local/perl $detour = '/somedirectorie/welcom.html'; print Location: $detour\n; print Content-Type: text/html\n; print \n; End of index.cgi Any comments are welcome. Kind regards, Rene Verharen Please DO NOT reply to me personally. I'll get my copy from the list. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: CGI scripts permissions
This is going to depend somewhat on your setup, mainly what user the web server is running as and what group it might be in. You could probably set your script to be 710 if your web server is in the same group as you but not the same user as you. Or if you go to 711, then anyone can execute the script but not read it, except for the owner which may be what you want. The same essentially applies to teh directory, if the web server (owner/group) can't read the directory then it can't execute the script, so setting the directory to 700 with the web server running under a different owner/group will mean the script can't be run in a cgi context. So determine whether the web server is running as the same user as you, if so you can limit it to 700, if it is running as a different user in the same group, then 710 should do the trick, if it is a different user and group then you are looking at 711. There is a chance though I didn't think this was the case that the script also has to be readable, in which case you are looking at 750 or 755. 1st digit = user 2nd digit = group 3rd digit = all 1 = execute 2 = write 4 = read sum the permission values, 7 = (4+2+1) = read, write, execute 6 = read, write 5 = read, execute 4 = read 3 = write, execute 2 = write 1 = execute http://danconia.org On Tue, 24 Dec 2002 18:09:52 +0200, Octavian Rasnita [EMAIL PROTECTED] wrote: Hello all, Please tell me what file permissions should I use for a CGI script. I don't want others users from that server to view the content of my scripts because they contain passwords for MySQL databases. If I chmod 755 the scripts, the other users will also be able to see the files. Can I deny other users to see the content of the cgi-bin directory (chmod 700) and chmod 755 only the files? Or, ... do I have other options? Thank you. Teddy, Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts permissions
I assume you are connecting to a database? CGIs should have 500 permission and SHOULD NOT contain the password. Instead write a perl module which return the database_handle and put that together with the other modules (/usr/lib/perl5/5.8.0/). Then just call the module in your CGI script. Regards Richard KHOO Guan Chen On Tue, 24 Dec 2002, Octavian Rasnita wrote: Hello all, Please tell me what file permissions should I use for a CGI script. I don't want others users from that server to view the content of my scripts because they contain passwords for MySQL databases. If I chmod 755 the scripts, the other users will also be able to see the files. Can I deny other users to see the content of the cgi-bin directory (chmod 700) and chmod 755 only the files? Or, ... do I have other options? Thank you. Teddy, Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts permissions
No, I don't have a problem with the web page visitors but with the other users that have accounts on that server. They could use Telnet or SSH to view the files and directories. They can see all my files if they have 755 permissions. Teddy, Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] - Original Message - From: Rene Verharen [EMAIL PROTECTED] To: Beginners-CGI List [EMAIL PROTECTED] Sent: Tuesday, December 24, 2002 7:44 PM Subject: Re: CGI scripts permissions Hi, At 24-12-2002 18:09 +0200, Octavian Rasnita wrote: Please tell me what file permissions should I use for a CGI script. chmod 755 Can I deny other users to see the content of the cgi-bin directory (chmod 700) and chmod 755 only the files? Put a index.cgi in your cgi-bin directory that routes the users to your homepage. I did this whith all my directories with no index.html in it. Begin index.cgi #!/usr/local/perl $detour = '/somedirectorie/welcom.html'; print Location: $detour\n; print Content-Type: text/html\n; print \n; End of index.cgi Any comments are welcome. Kind regards, Rene Verharen Please DO NOT reply to me personally. I'll get my copy from the list. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts permissions
Yes I know these, but ... it seems there is no solution. 1. The web server is not in the same group with me, and if it will be made to stay in the same group with me, the other users that have web pages on that server will need to be added to that group. 2. I saw that I need to give read permission also for a script to work, not only execute permissions. The only solution would be to run the Apache server with my user, but I don't know how to do that. How is this possible? In other cases, the security of CGI scripts is 0. Thank you. Teddy, Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] - Original Message - From: [EMAIL PROTECTED] To: Octavian Rasnita [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, December 24, 2002 7:56 PM Subject: RE: CGI scripts permissions This is going to depend somewhat on your setup, mainly what user the web server is running as and what group it might be in. You could probably set your script to be 710 if your web server is in the same group as you but not the same user as you. Or if you go to 711, then anyone can execute the script but not read it, except for the owner which may be what you want. The same essentially applies to teh directory, if the web server (owner/group) can't read the directory then it can't execute the script, so setting the directory to 700 with the web server running under a different owner/group will mean the script can't be run in a cgi context. So determine whether the web server is running as the same user as you, if so you can limit it to 700, if it is running as a different user in the same group, then 710 should do the trick, if it is a different user and group then you are looking at 711. There is a chance though I didn't think this was the case that the script also has to be readable, in which case you are looking at 750 or 755. 1st digit = user 2nd digit = group 3rd digit = all 1 = execute 2 = write 4 = read sum the permission values, 7 = (4+2+1) = read, write, execute 6 = read, write 5 = read, execute 4 = read 3 = write, execute 2 = write 1 = execute http://danconia.org On Tue, 24 Dec 2002 18:09:52 +0200, Octavian Rasnita [EMAIL PROTECTED] wrote: Hello all, Please tell me what file permissions should I use for a CGI script. I don't want others users from that server to view the content of my scripts because they contain passwords for MySQL databases. If I chmod 755 the scripts, the other users will also be able to see the files. Can I deny other users to see the content of the cgi-bin directory (chmod 700) and chmod 755 only the files? Or, ... do I have other options? Thank you. Teddy, Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts permissions
I can't do that because I am not the root of that server. I am just a simple user like all other users and I don't wantthem see my files. Thank you. Teddy, Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] - Original Message - From: Richard KHOO Guan Chen [EMAIL PROTECTED] To: Octavian Rasnita [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, December 25, 2002 3:24 AM Subject: Re: CGI scripts permissions I assume you are connecting to a database? CGIs should have 500 permission and SHOULD NOT contain the password. Instead write a perl module which return the database_handle and put that together with the other modules (/usr/lib/perl5/5.8.0/). Then just call the module in your CGI script. Regards Richard KHOO Guan Chen On Tue, 24 Dec 2002, Octavian Rasnita wrote: Hello all, Please tell me what file permissions should I use for a CGI script. I don't want others users from that server to view the content of my scripts because they contain passwords for MySQL databases. If I chmod 755 the scripts, the other users will also be able to see the files. Can I deny other users to see the content of the cgi-bin directory (chmod 700) and chmod 755 only the files? Or, ... do I have other options? Thank you. Teddy, Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts permissions
Octavian Rasnita [EMAIL PROTECTED] wrote in message 002901c2abd3$c17cdcb0$[EMAIL PROTECTED]">news:002901c2abd3$c17cdcb0$[EMAIL PROTECTED]... Yes I know these, but ... it seems there is no solution. 1. The web server is not in the same group with me, and if it will be made to stay in the same group with me, the other users that have web pages on that server will need to be added to that group. 2. I saw that I need to give read permission also for a script to work, not only execute permissions. The only solution would be to run the Apache server with my user, but I don't know how to do that. How is this possible? You need a host that runs some type of setuid wrapper around the CGI program. heres something I noted for the group awhile back: http://groups.google.com/groups?threadm=3DACCC0E.7010903%40uakron.edu Todd W. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
