File Privileges, Permissions, and Protections

Click Here for additional information.

After you figure out where to put your HTML, Server Side Include commands, and CGI files, the next thing you need to learn is how to enable them so they can be used by the WWW server.

File protections also are referred to as file permissions. The file permissions tell the server who has access to your file and whether the file is a simple text file or an executable program. There are three main types of files: directories, text files, and executable files. Because you typically use Perl as your scripting language, your executable CGI programs will be both text and executable files. Directory files are special text files that are executable by the server. These files contain special directives to the server describing to the server where a group of files is located.

Each of these file types has three sets of permissions. The permissions are Read, Write and Execute. The Read permission allows the file to be opened for reading, but it cannot be modified. The Write permission allows the file to be modified but not opened for reading. The Execute permission is used both to allow program execution and director listings. If anyone, including yourself, is going to be able to get a listing or move to a directory, the Execute permission on the directory file must be set. The Execute permission also must be set for any program you want the server to run for you. Regardless of the file extension or the contents of a file, if the Execute permission is not set, the server will not try to run or execute the file when the file is called.

This is probably one of the most common reasons for CGI programs not working the first time. If you are using an interpretive language like Perl, you never run a compile and link command, so the system doesn’t automatically change the file permissions to Execute. If you write a perfectly good Perl program and then try and run it from the command line, you might get an error message like permission denied. If you test out your CGI program from your Web browser, however, you are likely to get an error –an Internet file error with a status code of 403. This error code seems kind of ominous the first time you see it, and it really doesn’t help you very much in figuring out what the problem is.

Remember that there are three types of file permissions: Read, Write, and Execute. Each of these file permissions is applied at three separate access levels. These access levels define who can see your files based on their user name and group name.

When you create a file, it gets created with your user name and your group name as the owner and group name of the file, respectively. The file’s Read, Write, and Execute permissions are set for the owner, the group, and other (sometimes referred to as world). This is very important because your Web page is likely to be accessed by anybody in the world. Usually, your Web server will run as user nobody. This means that when your CGI program is executed or your Web page is opened for reading a process with a group name different than the group name you belong to, someone else will be accessing your files. You must set your file-access permissions to allow your Web server access to your files. This usually means setting the Read and Execute privileges for the world or other group.

In order for your Web page to be opened by anyone on the Net, it must be readable by anyone in the world. In order for your CGI program to be run by anyone on the Net, it must be executable by your Internet server. Therefore, you must set the permissions so that the server can read or execute your files, which usually means making your CGI programs world executable. You set your file permissions by using a command, via telnet, called chmod (change file mode). The chmod command accepts two parameters. The first parameter is the permission mask. The second parameter is the file for which you want to change permissions. Only the owner of a file can change the file’s permissions mask. These permissions can also be set using an ftp program called WS_FTP. While viewing your site with WS_FTP, select the file or directory you wish to set permissions on and right-click on it while holding down the shift key. Select chmod (UNIX) from the pop-up menu.

The permissions mask is a three-digit number: each digit of the number defines the permission for a different user of the file. The first digit defines the permissions for the owner. The second digit defines the permissions for the group. The third digit defines the permissions for everyone else, usually referred to as the world or other, as in other groups. Each digit works the same for each group of users: the owner, group, and world. What you set for one digit has no effect on the other two digits. Each digit is made up of the three Read, Write and Execute permissions. The Read permission value is 4, the Write permission value is 2, and the Execute permission is 1. You add these three numbers together to get the permissions for a file. If you want a file to only be readable and not writeable or executable, set its permission to 4. This works the same for Write and Execute.

Executable only files have a permission of 1. If you want a file to have Read and Write permissions, add the Read and Write values together (4+2) and you get 6, the permissions setting for Read and Write. If you want the file to be Read, Write and Execute, use the value 7, derived from adding the three permissions (4+2+1). Do this for each of the three permission groups and you get a valid Chmod mask.

Suppose that you want your file to have Read, Write, and Execute permissions (4+2+1) for yourself; Read and Execute (4+1) for your group; and Execute (1) only for everyone else. You would set The file permissions to 751, using this command:

chmod 751 [filename]

Tip: If you want the world to be able to use files in a directory, but only if they know exactly what files they want, you can set the directory permission to Execute only. This means that intruders cannot do wild-card directory listings to see what type of files you have in a directory. But if someone knows what type of file she wants, she still can access that file by requesting it with a fully qualified name (no wild cards allowed).