> Here's what I'm planning to do:
> In my cgi-bin:
> Make all my cgi-scripts 755
> Make my password data files 644
This is world-readable ... if your passwords are not encrypted, then ANYONE
can read your passwords. Since they are YOUR passwords, perhaps 600 would
be more appropriate.
Quote:> Make lots of data files 777
You may want to make the distinction between those datafiles that are only
read (make them 644) and those that need to be written. If they need to be
written, who does the writing? A single userid? A group? Set the
permission appropriately. Also, do the files need to be executable?
Quote:> Make some directories in my cgi-bin 775 (data files get written in these)
[If I remember correctly...] The permissions of a directory do not restrict
the writing of a file. They only control the creation and removal of entries
(files and subdirectories) in that directory. So if a datafile is written
to, but is not created and/or removed, you need not make the directory
writable by the group.
Quote:> Make one directory elsewhere in my webspace 775 (html pages get
> automatically produced here by the cgi script)
Your CGI script is creating temporary web pages? So you can cache the
results? Have you considered how to control the number and sizes of these
pages, and how to clean up this directory?
Quote:> What are your thoughts on this?
> Am I leaving anything vulnerable?
> What can I potentially be allowing unauthorised people
> (i.e. anyone but myself) to do?
Actually, if I were the SA of this system, I would not permit this
permission scheme, as there are just too many avenues for accidental or
intended damage. For instance, since anyone in the group can create or
modify scripts in your cgi-bin, someone could drop in a script that invokes
"rm -rf /". Would not that be fun?
Quote:> I'm setting permissions in this way as that is what the
> site I bought the script from recommends.
Sounds like your vendor has not taken the time to understand permissions, or
use the effectively. It's similar to running scripts as root, 'cause it's
Quote:> Also, what is the 'default' permission of file? i.e. if I upload a file,
> what will it's permissions be set to by default?
This depends on:
- the effective userid and groupid(s) of the process creating the file
- the current file mode creation mask [the "umask"]
- the setgid [S_ISGID] bit on the parent directory of the file
Quote:> Thanks for your input, I'm relying upon it.
Instead, I would suggests you take a look at the chmod(2) and creat(2)
manual pages for starters. Then experiment with different permissions for
files and directories until you know why access was granted or denied. And
understand why a file/directory for your site needs the permissions it has.
It'll probably save you a lot of grief in the future, imho.
QYXYQ - Custom Software Solutions
Woodstock, New York
+1 (845) 679-5199