CGI permissions

netmotiv8

Verified User
Joined
Sep 26, 2003
Messages
234
Location
UK
Hi,

I am a little confused about allowable permissions for CGI. I am aware that SUExec prevents scripts from running is certain permissions are being used e.g. 777 etc. I have many scripts which instructed to set permissions for files/dirs to 777 or 666 etc, etc. The site-helper.com site does not indicate any problems relating to permissions with SUExec.

I am sure my customers will fall into same trap and thus provide an overhead of unwanted support requests.

Can someone give me the lowdown and what is allowed/not allowed and what chmods I should be using instead.

Many thanks

Neil :D
 
Hello,

rules:

1) all files must be owned by the user they're running as (ie the same as the directadmin login username)
2) script must *not* be writeable by others. 777 will not work. The highest allowed is 755, but 700 will work just fine.
3) same rules apply to the cgi-bin directory from rules 1) and 2). It must be owned by the same user, and must have at most a permission of 755.

John
 
No (i don't think) - that would be putting write and execute permissions above the limit

Chris
 
:(

So what is recommended where script installation instructs that permissions for certain items of the programs to be set to 666 or 777?

Having tried a few things it seems that I only need to set the .cgi or .pl files to 755 and leave, for the most part, the rest of the files as they are (typically 644) and things seem to work ok, therefore ignoring most of the script installation instructions! In some respects it can make installation easier although would be confusing if you were to follow the script installation instructions properly.

Should the site-helper.com web site not reflect these issues? It doesnt mention any issues with using 777 etc.


Neil

:D
 
Hello,

777 will never be required as long as the running program has the same ownership as the directory it's writing to. I believe that script make this requirement under the assumption that the script will be running as "apache" and writing to a directory owned by the user. But for DA, the scripts are run as the same user, thus 777 shouldn't be needed. However, suexec doesn't check directory permissions, only the script it's running, so a permission of 777 on a directory should work just fine, but not on a cgi file.

John
 
Back
Top