Permission Discussion

Permission Discussion

Post by Mike » Wed, 24 Jul 2002 21:58:15



I'd just like to confirm a few things. I'm a little worried that I may be
doing something unsafe...

Here's what I'm planning to do:

In my cgi-bin:

Make all my cgi-scripts 755
Make my password data files 644
Make lots of data files 777
Make some directories in my cgi-bin 775 (data files get written in these)

Elsewhere:

Make one directory elsewhere in my webspace 775 (html pages get
automatically produced here by the cgi script)

What are your thoughts on this?
Am I leaving anything vulnerable?
What can I potentially be allowing unauthorised people (i.e. anyone but
myself) to do?

I'm setting permissions in this way as that is what the site I bought the
script from recommends.

Also, what is the 'default' permission of  file? i.e. if I upload a file,
what will it's permissions be set to by default?

Thanks for your input, I'm relying upon it.

Mike

 
 
 

Permission Discussion

Post by Paul Wirt » Sun, 28 Jul 2002 04:50:42


Mike,

Do a man on:  umask.

File permissions seem fine as long as you remember:

    1)    ownership...as in you didn't specify who owned the files...

    2)    setuid permissions.  i use them but onl;y on trusted closed
networks.
        in the 'real world' be afraid....

paul.n.wirtz


 
 
 

Permission Discussion

Post by Derek Ludwi » Fri, 02 Aug 2002 11:43:21


<SNIP>

Quote:> Here's what I'm planning to do:

> In my cgi-bin:

> Make all my cgi-scripts 755
> Make my password data files 644

This is world-readable ... if your passwords are not encrypted, then ANYONE
can read your passwords.  Since they are YOUR passwords, perhaps 600 would
be more appropriate.

Quote:> Make lots of data files 777

You may want to make the distinction between those datafiles that are only
read (make them 644) and those that need to be written. If they need to be
written, who does the writing?  A single userid?  A group?  Set the
permission appropriately. Also, do the files need to be executable?

Quote:> Make some directories in my cgi-bin 775 (data files get written in these)

[If I remember correctly...] The permissions of a directory do not restrict
the writing of a file. They only control the creation and removal of entries
(files and subdirectories) in that directory. So if a datafile is written
to, but is not created and/or removed, you need not make the directory
writable by the group.

Quote:> Make one directory elsewhere in my webspace 775 (html pages get
> automatically produced here by the cgi script)

Your CGI script is creating temporary web pages? So you can cache the
results?  Have you considered how to control the number and sizes of these
pages, and how to clean up this directory?

Quote:> What are your thoughts on this?
> Am I leaving anything vulnerable?
> What can I potentially be allowing unauthorised people
> (i.e. anyone but myself) to do?

Actually, if I were the SA of this system, I would not permit this
permission scheme, as there are just too many avenues for accidental or
intended damage. For instance, since anyone in the group can create or
modify scripts in your cgi-bin, someone could drop in a script that invokes
"rm -rf /". Would not that be fun?

Quote:> I'm setting permissions in this way as that is what the
> site I bought the script from recommends.

Sounds like your vendor has not taken the time to understand permissions, or
use the effectively. It's similar to running scripts as root, 'cause it's
easier.

Quote:> Also, what is the 'default' permission of  file? i.e. if I upload a file,
> what will it's permissions be set to by default?

This depends on:
- the effective userid and groupid(s) of the process creating the file
- the current file mode creation mask [the "umask"]
- the setgid [S_ISGID] bit on the parent directory of the file

Quote:> Thanks for your input, I'm relying upon it.

Instead, I would suggests you take a look at the chmod(2) and creat(2)
manual pages for starters. Then experiment with different permissions for
files and directories until you know why access was granted or denied. And
understand why a file/directory for your site needs the permissions it has.

It'll probably save you a lot of grief in the future, imho.

Good luck

    Derek

--

Derek Ludwig
QYXYQ - Custom Software Solutions
Woodstock, New York

+1 (845) 679-5199

www.qyxyq.com

 
 
 

Permission Discussion

Post by News.CIS.DFN.D » Wed, 18 Sep 2002 22:00:54


Hi Mike!

I have found this little utility for Palm very handy when it comes to chmod
and umask...
If you are an happy Palm Pilot owner, give it a try.

http://redtroll.com/pilot/chmodconv.html

--

/Red


Quote:> I'd just like to confirm a few things. I'm a little worried that I may be
> doing something unsafe...

> Here's what I'm planning to do:

> In my cgi-bin:

> Make all my cgi-scripts 755
> Make my password data files 644
> Make lots of data files 777
> Make some directories in my cgi-bin 775 (data files get written in these)

> Elsewhere:

> Make one directory elsewhere in my webspace 775 (html pages get
> automatically produced here by the cgi script)

> What are your thoughts on this?
> Am I leaving anything vulnerable?
> What can I potentially be allowing unauthorised people (i.e. anyone but
> myself) to do?

> I'm setting permissions in this way as that is what the site I bought the
> script from recommends.

> Also, what is the 'default' permission of  file? i.e. if I upload a file,
> what will it's permissions be set to by default?

> Thanks for your input, I'm relying upon it.

> Mike

 
 
 

1. Permission Discussion

I'd just like to confirm a few things. I'm a little worried that I may be
doing something unsafe...

Here's what I'm planning to do:

In my cgi-bin:

Make all my cgi-scripts 755
Make my password data files 644
Make lots of data files 777
Make some directories in my cgi-bin 775 (data files get written in these)

Elsewhere:

Make one directory elsewhere in my webspace 775 (html pages get
automatically produced here by the cgi script)

What are your thoughts on this?
Am I leaving anything vulnerable?
What can I potentially be allowing unauthorised people (i.e. anyone but
myself) to do?

I'm setting permissions in this way as that is what the site I bought the
script from recommends.

Also, what is the 'default' permission of  file? i.e. if I upload a file,
what will it's permissions be set to by default?

Thanks for your input, I'm relying upon it.

Mike

2. performance measurement tools

3. Permission Woes - can't add write permission

4. Fedora 1 on D865PERL with SATA RAID 1 (Mirror) -- Will it work?

5. Is it possible to have execute permissions without read permissions?

6. ~~~GCC/G++~~~

7. How to reset permissions on file with no read permissions

8. PPP and callback?

9. Do group permissions always override permissions for other (both more and less restrictive)?

10. file permissions/permission execution

11. Welcome to NetBSD discussion forums, message boards

12. Message list font in Netscape Mail&Discussion

13. securing shell accounts discussion