new ccgi permissions

Gabe · ‎29-10-2008

This is an update to an <a href="http://community.plus.net/forum/index.php/topic,80496.msg655494.html#msg655494">earlier post</a>.
Paranoid permissions are not quite as essential on the new ccgi server, but why give the hackers an inch?
Contrary to any remaining sources that recommend php files should have permissions set to 755 (0755: -rwx,r-x,r-x), this is not necessary on the ccgi platform. Setting group and other permissions on script files is potentially insecure.
The default permissions for php files should rather be 700 (0700: -rwx,---,---).
Bulk modifying all files and folders to 755 or 750 will allow sites to work, but this is potentially insecure and not best policy.
Permissions should be set selectively:
Folders 710 (0710: drwx,--x,---) is still recommended, or 750 if necessary. Some packages, like Wordpress, may encourage you to set some folder permissions to 777, but that would be imprudent. If 710 is insufficient, try 750 but no higher.
Scripts 700 (0700: -rwx,---,---) and no higher.
Static web content (html, css, js, etc.) and Apache files (htaccess, htpasswd) can be left at the default 640 (0640: -rw-,r--,---).
Files which are only read from and written to by scripts, but not served to browsers, such as log files, ini files and certificate files can be set to 600 (0600: -rw-,---,---).
Permissions can be set selectively using most FTP clients (control click in the file lists to select multiple files of the same type (or apple click on Macs)). For large numbers of files in deep folder trees, it may be easier to use a script, such as the one given below.
If nothing else, php files which contain login details, such as MySQL passwords, should be set to 700.


#!/bin/bash
echo "Content-type: text/html"
echo
find . -type d ! -perm 1710 -print0 | xargs -0 chmod 710
find . -type f -regextype posix-extended -regex '.*\.(php|pl|cgi)$' -print0 | xargs -0 chmod 700
echo "<table border='1'><tr><th>Type</th><th>Name</th><th>User, Group</th><th>Permissions</th></tr>"
find . -type d -printf '<tr><td>Folder</td><td>%p</td><td>%u, %g</td><td>%M</td></tr>'
find . -type f -printf '<tr><td>File</td><td>%p</td><td>%u, %g</td><td>%M</td></tr>'
echo "</table>"

(Give it a .cgi extension, load it to your web root, set its own permissions to 700 and call it with a web browser. You can change "chmod 710" to "chmod 750", but don't edit "! -perm 1710", which tells the script not to chmod your root folder.)
Gabe

bobpullen · ‎04-04-2007

Brilliant! Thanks Gabe

I'll add that to the FAQ on the Community Library after I've had some lunch...

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

geraldholdswort · ‎09-10-2008

OK - I've changed my .htaccess file to add the ~username bit - that works in that it now accesses the correct PHP files etc. However, sometimes I get Access forbidden, but mostly some, or all images don't load (despite their size attributes being picked up), and sometimes the CSS doesn't get accessed. I've tried changing permissions, but this seems to make things worse. This is the same if I enter www.domain.co.uk or ccgi.username.free-online.co.uk/folder.
I kind of need this working reliably, as my business relies on one of my sites.

MikeMcTernan · ‎10-03-2009

Quote from: geraldholdsworth
However, sometimes I get Access forbidden,

I see the same. Sometimes the pages are fine, at other times I'll get Access forbidden for a while. Then it's okay again without me doing anything other than hitting reload again.
I'm not sure why, I wondered if there was some load balancing maybe with a misconfigured server in the pool?

geraldholdswort · ‎09-10-2008

I get Access forbidden more often that not, and when I don't, I get an incomplete page. So my pages are unreliable 100% of the time.

Gabe · ‎29-10-2008

Quote from: geraldholdsworth
I get Access forbidden more often that not, and when I don't, I get an incomplete page.

Sounds like one for Plusnet.
Gabe

pcr · ‎16-03-2010

Hello,
Really sorry if I'm being a pain with repeating the question, it's just that I'm completely running out of ideas. Our PHP environment simply does-not-work. I have deleted everything on our CGI webspace, and I have just uploaded a single 3-line php file containing

<?php
phpinfo();
?>

And still get "Error 500; Premature end of script headers: php_test.php".
This is just calling the phpinfo() function. What gives? I have tried changing the CHMOD settings to 777, 755, 750, 700, and probably few others, what should I do to get any sign of life from PHP?

spraxyt · ‎06-04-2007

A PHP file with that content works for me - permissions 0700.
Are you sure there isn't a hidden .htaccess file in the directory?
David

David

pcr · ‎16-03-2010

Quote from: spraxyt
A PHP file with that content works for me - permissions 0700.
Are you sure there isn't a hidden .htaccess file in the directory?
David

I have just set it back to 0700 - nothing.
.htaccess is not there, I'm positive. Yesterday, I was trying everything, so I was reading the thread
http://community.plus.net/forum/index.php/topic,84267.16.html
where Gabe was suggesting changes to .htaccess file. I put in some general .htaccess file and tried to make the settings suggested, but when it didn't work, I removed it.

Ben_Brown · ‎13-06-2007

pcr - I've had a quick look on the filesystem and your home directory had the wrong group. I'm not sure how this happened but will look into that later. I've corrected it now, so your site should now work - the php_test.php page certainly does now.

pcr · ‎16-03-2010

Quote from: Ben
pcr - I've had a quick look on the filesystem and your home directory had the wrong group. I'm not sure how this happened but will look into that later. I've corrected it now, so your site should now work - the php_test.php page certainly does now.

Hello Ben,
Thank you very much for that. The PHP now indeed returns the output. Hope the Joomla installation will go smoothly as well.
Thank you again, we were slowly going crazy.

ninjanik · ‎03-08-2007

i'm trying to get Gabe's permissions script to work but keep running into the error:
Premature end of script headers: permissions.cgi
I've copied the script into the root directory and set permissions to 700.
I've disabled my .htaccess file (just to make sure) but keep getting the same error.
Is there anything else I need to do?
thanks
Nick

ninjanik · ‎03-08-2007

Quote
i'm trying to get Gabe's permissions script to work but keep running into the error:
Premature end of script headers: permissions.cgi
I've copied the script into the root directory and set permissions to 700.
I've disabled my .htaccess file (just to make sure) but keep getting the same error.
Is there anything else I need to do?
thanks
Nick

Managed to sort it - CR/LF issue.

fforchlas · ‎23-03-2010

this exact same thing has happened to me..... what do you mean by "run the script"
i already had this code before i upgraded....
help!
bethan

spraxyt · ‎06-04-2007

Quote from: fforchlas
..... what do you mean by "run the script"

Assuming the script (permissions.cgi, if that's what you called it) has its own permissions set to 0700, to run it you type
http://ccgi. … /permissions.cgi in your browser's address line and press enter.
That executes (runs) the script and the results should be displayed in the browser window.
David

David

new ccgi permissions

new ccgi permissions

Re: new ccgi permissions

Re: new ccgi permissions

Re: new ccgi permissions

Re: new ccgi permissions

Re: new ccgi permissions

Re: new ccgi permissions

Re: new ccgi permissions

Re: new ccgi permissions

Re: new ccgi permissions

Re: new ccgi permissions

Re: new ccgi permissions

Re: new ccgi permissions

Re: new ccgi permissions

Re: new ccgi permissions