Unix Permissions

One of the biggest problems people who have never used Unix face when first having to setup CGI scripts is Unix permissions. When you log into your Unix account and get to a Unix prompt, you can type the command ls -al to see a list of the files in your home directory. It will look similar to this:

no4:/home3/joe<ls -al
total 458
drwxr-xr-x   7 joe      users       1024 Feb 15 02:14 .
drwxr-xr-x 174 root     root        3584 Feb 21 00:46 ..
-rw-r--r--   1 joe      users        184 Feb 17  1998 .bashrc
drwxr-xr-x   2 joe      users        512 Feb 17  1998 .procmail
-rw-r--r--   1 joe      users        211 Apr 28  1998 .profile
drwxr-xr-x   2 joe      users        512 Feb 17  1998 autoresponders
-rw-r--r--   1 joe      users        159 Mar 25  1998 email.fwd
-rw-r--r--   1 joe      users      42299 Feb 15 02:14 joessite-access.log.gz
-rw-r--r--   1 joe      users      79372 Aug 31 02:14 joessite-access.log.gz.bak
-rw-r--r--   1 joe      users        124 Feb 17  1998 local.cshrc
-rw-r--r--   1 joe      users        575 Feb 17  1998 local.login
-rw-r--r--   1 joe      users        560 Feb 17  1998 local.profile
drwxr-xr-x   7 joe      users        512 Feb 17  1998 public_ftp
drwxr-xr-x  13 joe      users        512 Dec  9 20:01 public_html
-rwxr-xr-x   1 joe      users       2244 Feb 17  1998 sample.procmailrc
----------   1 root     root           0 Jul 10  1998 t.fvpro

Let's take a look at one of the lines, and dissect what the information means. First, the part on the left looks like this:

The character of the far left tells you what kind of file this item is. If it is a dash - then that means it is a normal file. If it is a d that that means it is a directory (folder). That's the two important ones. There are several other things it could be, but for simplicity's sake, we don't need to concern ourselves with that.

After that there are three groups of three characters. These groups indicate the permissions of the file or directory. Permissions determine who can read from the file or write to the file. Fairly simply, the r means read permission, the w means write permission, and the x means execute permission. If there is a dash - then that means that permission is not granted.

The first group of the permission bits corresponds to the user's (ie. your) permission. This is the permissions for the person who created the file (the owner). The second group of permission bits corresponds to the group's permissions. Each file or directory belongs to a group. Most users of our service are in the group users. Anyone who belongs to this group has these permissions for the file. If you wish to see what groups you belong to, type the command groups. The third group of permission bits corresponds to the world permissions. These are the permissions granted to everyone.

The web server runs as a separate user and group, so your files and directories must be readable by world in order for the web server to serve them; any scripts you have also need to be world executable. If you need the web server to write to some files, they need to be world writable, which means that anyone else with an account on the server, not just the web server, could write to and overwrite your files as well. If you need to do this, it is suggested that you use CGIWrap or suExec which will run such scripts as your username and not the web server, thus ensuring that no one else can overwrite these files. .

Continuing left on the line of items, in the above example you'll see joe. This is the username of the owner of the file. This is normally the person who created the file.

Next is the group the file belongs to. In the above example, the files belong to the group users. After that you'll see the size of the file in bytes. Next is the date and time the file was last modified, and finally the name of the file.

There is one Unix command that you should become familiar with in order to manipulate permissions.

chmod permissions filename
chmod will change the permission bits of the file or directory. There are two ways to use chmod. One way is to give it the exact permissions with the absolute mode. This is essentially a three digit number with the first digit corresponding to the user's permissions, the second digit is the group permissions, and the last digit is the world permissions. The values of the digit correspond in the following way:

0 ---
1 --x
2 -w-
3 -wx
4 r--
5 r-x
6 rw-
7 rwx

The second method of changing permissions is using the symbolic mode. The general format for the symbolic mode is:
chmod who+-=permission filename
Possible values for the who are:

u - user's permissions
g - group's permissions
o - other's permissions
a - all permissions (user, group, and other)

+ - Adds the permission
- - Removes the permission
= - Sets the permission exactly

r - the read bit
w - the write bit
x - the execute bit

Some examples:
If the permissions are currently -rwx------, then the command:

chmod a+r example.html
will change it so everyone (all) can read it. The result would then be -rwxr--r--.
If the permissions are currently -rwx------, then the command:

chmod u=r another_example.html
will change it so the user can only read it (exact set). The result would then be r--------.

Now we'll take a look at how permissions affect you on the Web. The first step is understanding the public_html directory. All your web-site data (HTML, images, scripts, etc.) must go underneath public_html. You can create sub-directories within.

The default public_html permission bits are 755, which allow for you to read, write and execute your files, while others (including the web server) to read and execute them, but not write to your files. If you ever need to give the web server write to a file, only change the file to write for world mode, do not change the entire directory to write for world, as then anyone can create any files they wish within that directory.

The only requirement for an HTML document is that the web server can read it. The default permission for all newly uploaded files via FTP gives read permissions to all, so you do not need to alter permissions of any of the HTML or image files you upload. You do need, however, to change your .cgi file permissions to 755 within Telnet, unless your FTP client supports chmod via FTP directly.

Please note that for text script files, eg. perl or shell scripts, in order for the file to be executable by the web server (world permissions section), the file must also be readable, as it is first read line-by-line and then executed. Compiled executables (eg. C/C++ gcc output) files do not need to be readable to be executable.