Need some clarification on CGI/FastCGI permissions


#1

When running under CGI/FastCGI does the Apache process execute as the site’s owner, or is it the scripts in the owner’s directory which run with the site owner’s permission?

I am confused about what permissions are required on the websites files. I want to know whether this list of permissions is enough for these file groups.

If the Apache process executes as the user can’t the group and other permissions be set to x00 all the way down.

400 - for download only files such as css files, videos, images etc.

500 - for directories that can be listed and where files can’t be created or replaced

500 - For executable files that can’t be replaced. (is it possible to give an executable 100, so that it can be executed only if the filename is known, but not listable?)

700 - for directories that can be written to, listed and where files can be created

700 - for executable files that the server be replace.

If the server process executes as the web user, like apache or nobody, but scripts are executed as the web site owner, would that mean files and directorires for download only would require xx5 permissions


Yoga Redux
Pay $18 for Dreamhost registration with coupon [color=#CC0000]WORDBRAHMAN[/color]


#2

Sadly, the Apache process does not run as the site owner - it runs as the “dhapache” user. Publicly accessible web directories have to be set as world-executable, and publicly accessible files have to be set as world-readable.


#3

Does that mean that in reference to my question, these settings apply

Files readable by webserver xx4 for readable only

Directories listable by server xx5.

Does that also mean that files which are only referenced by the script process, ie all executables and non executables called directly/indirectly or opened by the cgi script don’t need the world readable and executable bit to be set, ie world permissions can be xx0?

Can files which are transferred by the script process directly to the end-user rather than by the server be xx0?


Yoga Redux
Pay $18 for Dreamhost registration with coupon [color=#CC0000]WORDBRAHMAN[/color]


#4

Since the CGI process runs as your user, it can open any file your user has permission, regardless of the group or public permissions. That covers not only data files but code library files (includes, modules) as well. That also goes for executing external programs.

Customer since 2000 :cool: openvein.org


#5

[quote]Does that mean that in reference to my question, these settings apply

Files readable by webserver xx4 for readable only

Directories listable by server xx5.[/quote]
Yep, that all looks good.

Correct. Scripts get executed as your web user, so they (and the files they read) only need to be readable by you. However, any STATIC content that gets referenced by the script’s output (for instance, CSS files and graphics) don’t inherit those permissions, so they still have to be readable by the web server.

Yes, as long as the script reads and transfers them itself. If you do this, though, the script has to stay running until the request finishes – and if the download takes a long time, the script will continue taking up memory until it’s done. As such, we don’t recommend using this sort of system for long downloads.


#6

Good,

I can now start writing my guide on professional web development using Dreamhost.


Yoga Redux
Pay $18 for Dreamhost registration with coupon [color=#CC0000]WORDBRAHMAN[/color]