permissions

[saline]

I just wrote a perl script that reads from text files and writes to text files within a directory. This script is accessed and interacted with via a webpage. So my question is what are the minimum permissions I need on the directory in order to get things to work properly. I feel uncomfortable using 777 but at the same time it makes sense, and works. Is there another set of permissions I could use that might keep things somehow more secure?

Am I misunderstanding how permissions work or am I just being paranoid?

[sde]

well either the 'world' can write to that directory or they can't.

a '6' would allow them to read/write and not execute.. i don't think they would need execute permission.

this is how i understand it anyway.

[saline]

The script is inside the directory though and that needs to be executed. I'm fairly positive that the permissions need to be 777 thats why I made a whole seperate directory for this little project. Still it makes me uncomfortable.

[sde]

yes, if anything in the directory needs to execute then 7 is the setting.

you could always make the script run from that directory with only read and execute permissions .. then the files that you are writting can be in a directory beneath that one. that might be a little safer.

[bdl]

Just to clarify, a '7' is complete access: Read, Write, Execute. A directory has to have Read/Execute perms in order to function properly, at the least. Directories shared to other users in your same group will usually require all permissions, whereas 'world' permissions should almost always be Read/Execute only, or '5'. The appropriate directory perms for anything shared via the web should be either 775 or 755, almost never 777. If someone from the public is allowed to write to the directory and to your script, they could potentially gain access to the server, or change your script to do whatever it is they want it to do.

The way UNIX permissions work is like this:
4 = Read
2 = Write
1 = Execute

Add the values up to figure out what perms a certain file or directory should have. For example, your script should be 755, or

4+2+1 = 7 (ALL PERMS) / 4+1 = 5 (Read/Execute) / 4+1 = 5 (Read/Execute)

The first value is USER, second is GROUP, third is WORLD.

Regular files like html/php pages, images, etc. are usually 644, executables (like Perl CGI scripts) are 755, directories also 755.

Hope this makes things a little clearer for you.

[Epsilon]

Couldn't you chown and chgrp the directory to the user and group your web server runs as (usually 'nobody')? I would think then it would work fine with permissions of 775. Then it's not world writable, but it's writable by the web server.

Or you could read/write files in a sub-directory under your script directory. That way you can make the script directory 755 and the files directory 666. There should be no reason why you have to have your script in the same directory you're writing files to.

[bdl]

Quote:

Originally posted by Epsilon
Couldn't you chown and chgrp the directory to the user and group your web server runs as (usually 'nobody')? I would think then it would work fine with permissions of 775. Then it's not world writable, but it's writable by the web server.

Or you could read/write files in a sub-directory under your script directory. That way you can make the script directory 755 and the files directory 666. There should be no reason why you have to have your script in the same directory you're writing files to.

Valid point on the ownership; if the script and directory live under the DocumentRoot, it should already be owned by 'root' or 'httpd' or 'nobody'. That's something left to the web admin to figure out. That doesnt really matter though. As long as it's owned by a group that has permissions to write to the directory, 775 will work fine. It could be owned by the 'salinewebserverproject' group, as long as it has the right perms.

You should be able to have the script write to any directory you'd want, I would think, including '/tmp'. A directory with perms of '666' doesnt work, though. You can't enter the directory without Executable permissions, and again, that extra '2' is giving world write perms.

[saline]

Now this is interesting alpha seems to have hit upon what I might need. I want to avoid world write but need to have the webserver be able to write.

Ok, I'll see how all of this works soon but for now, I don't know, I think I'm going back to bed.

Thanks everyone.