US & Canada: 1-888-354-6128
Local & International: 1-206-438-5887
1-703-564-9887/1-604-638-2525
Unix PermissionsOne of the biggest problems people who have never used Unix face when first having to setup CGI scripts is Unix permissions. When you log into your Unix account and get to a Unix prompt, you can type the command ls -al to see a list of the files in your home directory. It will look similar to this: no4:/home3/joe<ls -al total 458 drwxr-xr-x 7 joe users 1024 Feb 15 02:14 . drwxr-xr-x 174 root root 3584 Feb 21 00:46 .. -rw-r--r-- 1 joe users 184 Feb 17 1998 .bashrc drwxr-xr-x 2 joe users 512 Feb 17 1998 .procmail -rw-r--r-- 1 joe users 211 Apr 28 1998 .profile drwxr-xr-x 2 joe users 512 Feb 17 1998 autoresponders -rw-r--r-- 1 joe users 159 Mar 25 1998 email.fwd -rw-r--r-- 1 joe users 42299 Feb 15 02:14 joessite-access.log.gz -rw-r--r-- 1 joe users 79372 Aug 31 02:14 joessite-access.log.gz.bak -rw-r--r-- 1 joe users 124 Feb 17 1998 local.cshrc -rw-r--r-- 1 joe users 575 Feb 17 1998 local.login -rw-r--r-- 1 joe users 560 Feb 17 1998 local.profile drwxr-xr-x 7 joe users 512 Feb 17 1998 public_ftp drwxr-xr-x 13 joe users 512 Dec 9 20:01 public_html -rwxr-xr-x 1 joe users 2244 Feb 17 1998 sample.procmailrc ---------- 1 root root 0 Jul 10 1998 t.fvpro Let's take a look at one of the lines, and dissect what the information means. First, the part on the left looks like this:
The character of the far left tells you what kind of file this item is. If it is a dash - then that means it is a normal file. If it is a d that that means it is a directory (folder). That's the two important ones. There are several other things it could be, but for simplicity's sake, we don't need to concern ourselves with that. After that there are three groups of three characters. These groups indicate the permissions of the file or directory. Permissions determine who can read from the file or write to the file. Fairly simply, the r means read permission, the w means write permission, and the x means execute permission. If there is a dash - then that means that permission is not granted. The first group of the permission bits corresponds to the user's (ie. your) permission. This is the permissions for the person who created the file (the owner). The second group of permission bits corresponds to the group's permissions. Each file or directory belongs to a group. Most users of our service are in the group users. Anyone who belongs to this group has these permissions for the file. If you wish to see what groups you belong to, type the command groups. The third group of permission bits corresponds to the world permissions. These are the permissions granted to everyone. The web server runs as a separate user and group, so your files and directories must be readable by world in order for the web server to serve them; any scripts you have also need to be world executable. If you need the web server to write to some files, they need to be world writable, which means that anyone else with an account on the server, not just the web server, could write to and overwrite your files as well. If you need to do this, it is suggested that you use CGIWrap or suExec which will run such scripts as your username and not the web server, thus ensuring that no one else can overwrite these files. . Continuing left on the line of items, in the above example you'll see joe. This is the username of the owner of the file. This is normally the person who created the file. Next is the group the file belongs to. In the above example, the files belong to the group users. After that you'll see the size of the file in bytes. Next is the date and time the file was last modified, and finally the name of the file. There is one Unix command that you should become familiar with in order to manipulate permissions.
chmod permissions filename
1 --x 2 -w- 3 -wx 4 r-- 5 r-x 6 rw- 7 rwx chmod 664 test.html would change the permissions of the file test.html to be -rw-rw-r--. The second method of changing permissions is using the symbolic mode.
The general format for the symbolic mode is:
g - group's permissions o - other's permissions a - all permissions (user, group, and other)
- - Removes the permission = - Sets the permission exactly
w - the write bit x - the execute bit Some examples: Now we'll take a look at how permissions affect you on the Web. The first step is understanding the public_html directory. All your web-site data (HTML, images, scripts, etc.) must go underneath public_html. You can create sub-directories within. The default public_html permission bits are 755, which allow for you to read, write and execute your files, while others (including the web server) to read and execute them, but not write to your files. If you ever need to give the web server write to a file, only change the file to write for world mode, do not change the entire directory to write for world, as then anyone can create any files they wish within that directory. The only requirement for an HTML document is that the web server can read it. The default permission for all newly uploaded files via FTP gives read permissions to all, so you do not need to alter permissions of any of the HTML or image files you upload. You do need, however, to change your .cgi file permissions to 755 within Telnet, unless your FTP client supports chmod via FTP directly. Please note that for text script files, eg. perl or shell scripts, in order for the file to be executable by the web server (world permissions section), the file must also be readable, as it is first read line-by-line and then executed. Compiled executables (eg. C/C++ gcc output) files do not need to be readable to be executable. |
