cancel
Showing results for 
Search instead for 
Did you mean: 

CCGI permissions

Gabe
Community Veteran
Posts: 767
Registered: ‎29-10-2008

CCGI permissions

While we're waiting for the new platform to go live:
I don't think this has been mentioned in a while, so it may be worth repeating. Contrary to the tutorials and error messages that recommend php files should have permissions set to 755 (0755: -rwx,r-x,r-x), this is not necessary on the ccgi platform. Setting group and other permissions on script files is potentially insecure.
The default permissions for php files should rather be 700 (0700: -rwx,---,---).
Bulk modifying all files and folders to 755 or 750 will allow sites to work, but this is potentially insecure and not best policy.
Permissions should be set selectively:
Folders 710 (0710: drwx,--x,---) or 750 only if it is essential to list contents.
Scripts 700 (0700: -rwx,---,---).
Static web content (html, css, js, etc.) and Apache files (htaccess, htpasswd) can be left at the default 640 (0640: -rw-,r--,---).
Files which are only read from and written to by scripts, but not served to browsers, such as log files, ini files and certificate files can be set to 600 (0600: -rw-,---,---).
Permissions can be set selectively using most FTP clients (control click in the file lists to select multiple files of the same type (or apple click on Macs)). For large numbers of files in deep folder trees, it may be easier to use a script, such as the one given below.
If nothing else, php files which contain login details, such as MySQL passwords, should be set to 700.
Gabe
<?php
/**
PHP script to set permissions selectively for script files (php, pl, cgi) and folders. (Would be easier using find/chmod in shell, if available.)
FTP the script to ccgi filespace, set its permissions to 700 (0700: -rwx,---,---) and call in browser. It will change permissions recursively and echo a list of file and folder data.
Recommended permissions:
Folders 710 (0710: drwx,--x,---).
Script files (php, pl, cgi) 700 (0700: -rwx,---,---).
Edit the default permissions below in octal (with a leading zero).
Additional or alternative extensions can be added to the pipe-separated extensions list.
Folders can be added to, or removed from, the exclusion list (cgi-bin is excluded by default).
*/
ini_set('max_execution_time', 60); //deep trees may need longer
$path="."; //path to folder containing this script
$dperm=0710; //folder permissions
$cgiperm=0700; //script permissions
$cgidef="/\.(php|pl|cgi)$/"; //script extensions
$exlist="/\/(cgi-bin|foobar)$/"; //exclude these folders
echo "<table border='1'>
<tr>
<th>Type</th>
<th>Name</th>
<th>User,Group</th>
<th>Permissions</th>
</tr>";
chmodr($path, $dperm, $cgiperm, $cgidef, $exlist);
echo "</table>";
function chmodr($pa, $dp, $cp, $cd, $el) {
if(is_file($pa)) { //is it a file?
if (preg_match($cd, $pa)) { //set selected file permissions
chmod($pa, $cp);
}
filestats($type="File",$pa); //echo file data
} elseif(is_dir($pa)  && !preg_match($el, $pa)) { //or is it a non-excluded folder
$dl  = opendir($pa); //get the entries into an array
while (false !== ($filename = readdir($dl))) {
$ffs[] = $filename;
}
$entries = array_slice($ffs, 2);
foreach($entries as $entry) { //call function recursively for each entry
chmodr($pa."/".$entry, $dp, $cp, $cd, $el);
}
clearstatcache();
if (substr(decoct(fileperms($pa)),-4,1)!='1') { //set dir permissions unless sticky
chmod($pa, $dp);
}
filestats($type="Folder",$pa); //echo folder data
}
}
function filestats($type,$pth) { //get file data
clearstatcache();
$stat = stat($pth);
$uida = posix_getpwuid($stat['uid']);
$gida = posix_getgrgid($stat['gid']);
$uid = $uida['name'];
$gid = $gida['name'];
$perms = fileperms($pth);
if (($perms & 0xC000) == 0xC000) {
$perml = 's';
} elseif (($perms & 0xA000) == 0xA000) {
$perml = 'l';
} elseif (($perms & 0x8000) == 0x8000) {
$perml = '-';
} elseif (($perms & 0x6000) == 0x6000) {
$perml = 'b';
} elseif (($perms & 0x4000) == 0x4000) {
$perml = 'd';
} elseif (($perms & 0x2000) == 0x2000) {
$perml = 'c';
} elseif (($perms & 0x1000) == 0x1000) {
$perml = 'p';
} else {
$perml = 'u';
}
$perml .= (($perms & 0x0100) ? 'r' : '-');
$perml .= (($perms & 0x0080) ? 'w' : '-');
$perml .= (($perms & 0x0040) ? (($perms & 0x0800) ? 's' : 'x' ) : (($perms & 0x0800) ? 'S' : '-'));
$perml .= (($perms & 0x0020) ? 'r' : '-');
$perml .= (($perms & 0x0010) ? 'w' : '-');
$perml .= (($perms & 0x0008) ? (($perms & 0x0400) ? 's' : 'x' ) : (($perms & 0x0400) ? 'S' : '-'));
$perml .= (($perms & 0x0004) ? 'r' : '-');
$perml .= (($perms & 0x0002) ? 'w' : '-');
$perml .= (($perms & 0x0001) ? (($perms & 0x0200) ? 't' : 'x' ) : (($perms & 0x0200) ? 'T' : '-'));
echo "<tr><td>$type</td><td>$pth</td><td>$uid,$gid</td><td>$perml</td></tr>";
}
?>