File Privileges, Permissions, and
Protections
Click Here for
additional information.
After you figure out where to put your HTML, Server Side
Include commands, and CGI files, the next thing you need to learn is how to enable them so
they can be used by the WWW server.
File protections also are referred to as file
permissions. The file permissions tell the server who has access to your file and
whether the file is a simple text file or an executable program. There are three main
types of files: directories, text files, and executable files. Because you typically use
Perl as your scripting language, your executable CGI programs will be both text and
executable files. Directory files are special text files that are executable by the
server. These files contain special directives to the server describing to the server
where a group of files is located.
Each of these file types has three sets of permissions.
The permissions are Read, Write and Execute. The Read permission allows the file to be
opened for reading, but it cannot be modified. The Write permission allows the file to be
modified but not opened for reading. The Execute permission is used both to allow program
execution and director listings. If anyone, including yourself, is going to be able to get
a listing or move to a directory, the Execute permission on the directory file must be
set. The Execute permission also must be set for any program you want the server to run
for you. Regardless of the file extension or the contents of a file, if the Execute
permission is not set, the server will not try to run or execute the file when the file is
called.
This is probably one of the most common reasons for CGI
programs not working the first time. If you are using an interpretive language like Perl,
you never run a compile and link command, so the system doesnt
automatically change the file permissions to Execute. If you write a perfectly good Perl
program and then try and run it from the command line, you might get an error message like
permission denied. If you test out your CGI program from your Web browser, however,
you are likely to get an error an Internet file error with a status code of 403.
This error code seems kind of ominous the first time you see it, and it really
doesnt help you very much in figuring out what the problem is.
Remember that there are three types of file permissions:
Read, Write, and Execute. Each of these file permissions is applied at three separate
access levels. These access levels define who can see your files based on their user name
and group name.
When you create a file, it gets created with your user
name and your group name as the owner and group name of the file, respectively. The
files Read, Write, and Execute permissions are set for the owner, the group, and
other (sometimes referred to as world). This is very important because your Web
page is likely to be accessed by anybody in the world. Usually, your Web server will run
as user nobody. This means that when your CGI program is executed or your Web page is
opened for reading a process with a group name different than the group name you belong
to, someone else will be accessing your files. You must set your file-access permissions
to allow your Web server access to your files. This usually means setting the Read and
Execute privileges for the world or other group.
In order for your Web page to be opened by anyone on the
Net, it must be readable by anyone in the world. In order for your CGI program to be run
by anyone on the Net, it must be executable by your Internet server. Therefore, you must
set the permissions so that the server can read or execute your files, which usually means
making your CGI programs world executable. You set your file permissions by using a
command, via telnet, called chmod (change file mode). The
chmod command accepts two parameters. The first parameter is the permission mask. The
second parameter is the file for which you want to change permissions. Only the owner of a
file can change the files permissions mask. These permissions can also be set using
an ftp program called WS_FTP. While viewing your site with WS_FTP,
select the file or directory you wish to set permissions on and right-click on it while
holding down the shift key. Select chmod (UNIX) from the pop-up menu.
The permissions mask is a three-digit number: each digit
of the number defines the permission for a different user of the file. The first digit
defines the permissions for the owner. The second digit defines the permissions for the
group. The third digit defines the permissions for everyone else, usually referred to as
the world or other, as in other groups. Each digit works the same for
each group of users: the owner, group, and world. What you set for one digit has no effect
on the other two digits. Each digit is made up of the three Read, Write and Execute
permissions. The Read permission value is 4, the Write permission value is 2, and the
Execute permission is 1. You add these three numbers together to get the permissions for a
file. If you want a file to only be readable and not writeable or executable, set its
permission to 4. This works the same for Write and Execute.
Executable only files have a permission of 1. If you want
a file to have Read and Write permissions, add the Read and Write values together (4+2)
and you get 6, the permissions setting for Read and Write. If you want the file to be
Read, Write and Execute, use the value 7, derived from adding the three permissions
(4+2+1). Do this for each of the three permission groups and you get a valid Chmod
mask.
Suppose that you want your file to have Read, Write, and
Execute permissions (4+2+1) for yourself; Read and Execute (4+1) for your group; and
Execute (1) only for everyone else. You would set The file permissions to 751, using this
command:
chmod 751 [filename]
Tip: If you want the world to be able to use files in a
directory, but only if they know exactly what files they want, you can set the directory
permission to Execute only. This means that intruders cannot do wild-card directory
listings to see what type of files you have in a directory. But if someone knows what type
of file she wants, she still can access that file by requesting it with a fully qualified
name (no wild cards allowed).
|