Prev topicNext topicHelp

Topic 84 of 109: File ownership on the Spring's webs

Thu, Sep 19, 2002 (05:52) | User & (admin)
File permissions for web pages are one of the biggest issues I deal with, so I'm starting a topic to discuss ownerships and permissions on Spring webs.
4 responses total.

 Topic 84 of 109 [web]: File ownership on the Spring's webs
 Response 1 of 4: User & (admin) * Thu, Sep 19, 2002 (05:53) * 25 lines 
I found this system used at Worcester Poly:

File Permissions for Web Pages
Note: A separate set of rules apply to CGI scripts in your cgi-bin directory. Please read the notes on the CGI Guidelines page for more information.

Security is a big deal these days, especially as more and more people start to use the web. Your web page really isn't any good if anyone can come along and change what you've written. There are a few ways to restict access to who can see and modify your web pages, then. (This is most pertinent for keeping people with access to WPI machines from modifying files in your "public_html" web directory.)

If you are interested in knowing how to restrict access to your web pages from across the internet (i.e. through Netscape or some other web browser), please refer to our access restriction page.

To modify file permissions under UNIX you use the chmod command. It is described in detail on the chmod page, but there are a few important specifics for web writers to keep in mind.

The files in your public_html directory you want displayed in a web browser, including images, must be world-readable. You can make a file world-readable by typing "chmod a+r [filename]" at the UNIX prompt. If they are not world-readable web browsers can not access them.
Your web directories must be world-executable. You can make them so by typing "chmod a+x [directoryname]" at the UNIX prompt. This ensures that web browsers can access the directory and files within it. Note: your "public_html" directory must also be world-executable.
Permissions and .htaccess-related files
If you are using .htaccess files to restrict access to your webpage you will want to ensure the associated security files (.htaccess, .htgroup and/or .htpasswd), are secure. To do this WPI has installed a program which will change the read permissions for a file to the owner (you), and "nobody." The result is a secure file you can modify and the webserver (thus the web browsers) can see, but others local at WPI can't modify.

To set a file's group to "nobody" run the nobody command at the UNIX prompt. The argument for this program is a directory name. It will descend a directory tree and change the files in it to the "nobody" group. After removing the access for "others" the web would be private. Examples:

nobody ~/public_html/directory-to-protect
chmod -R o-rwx ~/public_html/directory-to-protect

If you want to return the files to a different group, use the reclaim program at the UNIX prompt. It takes a filename as an argument, and is not recursive like nobody.

Another way to make them accessable to the web server is to make the files world readable: chmod a+r .htaccess; chmod a+r .htpasswd

 Topic 84 of 109 [web]: File ownership on the Spring's webs
 Response 2 of 4: User & (admin) * Thu, Sep 19, 2002 (05:55) * 58 lines 
In basic UNIX permissions you can divide users into three groups:

user - the owner of the file.
group - users that belong to the same group as that of the file.
other - all other users.

For each group, you can set combinations of three permissions: 'read', 'write', and 'execute.' The 'execute' permission is a little odd in that when it applies to directories it allows users to enter the directory and is usually called the 'passthrough' permission.

To illustrate, let's examine what the output of ls -l mycgi.cgi might look like.

-rwxr-x--x 1 dmah staff 6707 Feb 19 08:47 mycgi.cgi

The first character will indicate what type of object that you're looking at. The '-' means it is a file. The other common one that you'll see is a 'd' which indicates that it is a directory. The next three characters represent what permissions that the owner of the file has. In this case, the owner has read, write, and execute permission on the file. The next three characters represent what permissions that anyone in the group 'staff' would have on this file. In this case, that would be read and execute permission. The final three characters are the permissions that everyone else has and the only permission assigned to these people is execute.

Let's take a look at a directory now: ls -ld public_html

drwx--x--x 6 dmah staff 1024 Jul 09 10:59 public_html

Here we see the 'd' for directory which we expect. The first three characters show us that 'dmah' has read, write, and passthrough permission on this directory. The second and third set of permissions indicate that only passthrough is allowed for users in the 'staff' group and anyone else. This means that everybody, other than the owner of the directory, will be able to enter (or cd to) the directory but will not be able to read (or ls) from or write to the directory.

Now let's combine these two pieces of information in order to get our CGI program to run. We know that usually the Web server will run as the under-privileged user 'nobody.' Also 'nobody' usually only belongs to the group 'nobody.' So the minimum set of permissions that we need to run our CGI program is 'execute' permission for everybody.

So how do we set our file permissions? For that we need to take a look at the command: chmod. Generally the command is specified as:

chmod [options] mode file(s)

There are a few options available to this command but the most useful, and the only one I'll mention, is the '-R' flag which will descend directories recursively changing the file mode or permissions of each file.

The 'mode' can be described in a couple different ways: symbolically and numerically. Symbolically, you create the 'mode' by indicating who this change applies to, what the change is, and what permissions you are changing. Who the change applies to is one of: 'u' for the user/owner, 'g' for the group, and 'o' for everybody else. There are three changes that you can make to a file: '+' add permissions, '-' take away permissions, and '=' set the permission. Finally, there's the permissions themselves which are indicated by: 'r' for read, 'w' for write, and 'x' for execute or passthrough. So let's take a look at some examples,

chmod u-x mycgi.cgi
Take away execute from the owner of mycgi.cgi.
chmod o+x mycgi.cgi
Add execute for everyone.
chmod g+rw mycgi.cgi
Add read and write for the group.
chmod =rx mycgi.cgi
Set permissions for user, group, and other to read and execute.
The last example left out the 'who' that the mode change would apply to and so it defaults to all three groups.

The numerical method can only be used to set permissions for all three groups at the same time. The 'mode' is created by using a number from 0-7 for each group so we will end up with three digits: the first digit represents the user/owner, the second the group, and the third everybody else. Next, each permission is assigned a value: 4 represents read, 2 represents write, and 1 represents execute or passthrough. To have combinations of permissions, you add the numbers up. So 0 would represent no permission while 7 would represent read, write, and execute. For example,

chmod 210 mycgi.cgi
Write for user, execute for group, nothing for other.
chmod 543 mycgi.cgi
Read/execute for user, read for group, write/execute for other.
chmod 765 mycgi.cgi
Read/write/execute for user, read/write for group, read/execute for other.
chmod 755 mycgi.cgi
Read/write/execute for user, read/execute for group/other.
The last one is typically the one that you want to assign to your CGI programs.

As long as your CGI programs are doing simple things like reading from or writing to world-accessible files or sending output to displayed on a Web page, this should be enough to get them working through the Web. However, if you are going to be reading or writing private files, you'll need to go a step further and learn about setuid which will be covered in the second half of this tutorial.

 Topic 84 of 109 [web]: File ownership on the Spring's webs
 Response 3 of 4: Karen  (KarenR) * Thu, Sep 19, 2002 (13:10) * 9 lines 

My permissions are gone *again* today for both my directories within


Wot happened???? Please fix. I need to update.

 Topic 84 of 109 [web]: File ownership on the Spring's webs
 Response 4 of 4: Paul Terry Walhus (terry) * Thu, Sep 19, 2002 (14:23) * 1 lines 
I'll update right now.

Prev topicNext topicHelp

web conference Main Menu