cancel
Showing results for 
Search instead for 
Did you mean: 

new ccgi permissions

Gabe
Grafter
Posts: 767
Registered: ‎29-10-2008

new ccgi permissions

This is an update to an <a href="http://community.plus.net/forum/index.php/topic,80496.msg655494.html#msg655494">earlier post</a>.
Paranoid permissions are not quite as essential on the new ccgi server, but why give the hackers an inch?
Contrary to any remaining sources that recommend php files should have permissions set to 755 (0755: -rwx,r-x,r-x), this is not necessary on the ccgi platform. Setting group and other permissions on script files is potentially insecure.
The default permissions for php files should rather be 700 (0700: -rwx,---,---).
Bulk modifying all files and folders to 755 or 750 will allow sites to work, but this is potentially insecure and not best policy.
Permissions should be set selectively:
Folders 710 (0710: drwx,--x,---) is still recommended, or 750 if necessary. Some packages, like Wordpress, may encourage you to set some folder permissions to 777, but that would be imprudent. If 710 is insufficient, try 750 but no higher.
Scripts 700 (0700: -rwx,---,---) and no higher.
Static web content (html, css, js, etc.) and Apache files (htaccess, htpasswd) can be left at the default 640 (0640: -rw-,r--,---).
Files which are only read from and written to by scripts, but not served to browsers, such as log files, ini files and certificate files can be set to 600 (0600: -rw-,---,---).
Permissions can be set selectively using most FTP clients (control click in the file lists to select multiple files of the same type (or apple click on Macs)). For large numbers of files in deep folder trees, it may be easier to use a script, such as the one given below.
If nothing else, php files which contain login details, such as MySQL passwords, should be set to 700.

#!/bin/bash
echo "Content-type: text/html"
echo
find . -type d ! -perm 1710 -print0 | xargs -0 chmod 710
find . -type f -regextype posix-extended -regex '.*\.(php|pl|cgi)$' -print0 | xargs -0 chmod 700
echo "<table border='1'><tr><th>Type</th><th>Name</th><th>User, Group</th><th>Permissions</th></tr>"
find . -type d -printf '<tr><td>Folder</td><td>%p</td><td>%u, %g</td><td>%M</td></tr>'
find . -type f -printf '<tr><td>File</td><td>%p</td><td>%u, %g</td><td>%M</td></tr>'
echo "</table>"

(Give it a .cgi extension, load it to your web root, set its own permissions to 700 and call it with a web browser. You can change "chmod 710" to "chmod 750", but don't edit "! -perm 1710", which tells the script not to chmod your root folder.)
Gabe
23 REPLIES 23
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,869
Thanks: 4,950
Fixes: 315
Registered: ‎04-04-2007

Re: new ccgi permissions

Brilliant! Thanks Gabe  Smiley
I'll add that to the FAQ on the Community Library after I've had some lunch...

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

geraldholdswort
Grafter
Posts: 28
Fixes: 1
Registered: ‎09-10-2008

Re: new ccgi permissions

OK - I've changed my .htaccess file to add the ~username bit - that works in that it now accesses the correct PHP files etc. However, sometimes I get Access forbidden, but mostly some, or all images don't load (despite their size attributes being picked up), and sometimes the CSS doesn't get accessed. I've tried changing permissions, but this seems to make things worse. This is the same if I enter www.domain.co.uk or ccgi.username.free-online.co.uk/folder.
I kind of need this working reliably, as my business relies on one of my sites.
MikeMcTernan
Dabbler
Posts: 12
Registered: ‎10-03-2009

Re: new ccgi permissions

Quote from: geraldholdsworth
However, sometimes I get Access forbidden,

I see the same.  Sometimes the pages are fine, at other times I'll get Access forbidden for a while.  Then it's okay again without me doing anything other than hitting reload again.
I'm not sure why, I wondered if there was some load balancing maybe with a misconfigured server in the pool?
geraldholdswort
Grafter
Posts: 28
Fixes: 1
Registered: ‎09-10-2008

Re: new ccgi permissions

I get Access forbidden more often that not, and when I don't, I get an incomplete page. So my pages are unreliable 100% of the time.
Gabe
Grafter
Posts: 767
Registered: ‎29-10-2008

Re: new ccgi permissions

Quote from: geraldholdsworth
I get Access forbidden more often that not, and when I don't, I get an incomplete page.

Sounds like one for Plusnet.
Gabe
pcr
Dabbler
Posts: 10
Registered: ‎16-03-2010

Re: new ccgi permissions

Hello,
Really sorry if I'm being a pain with repeating the question, it's just that I'm completely running out of ideas. Our PHP environment simply does-not-work. I have deleted everything on our CGI webspace, and I have just uploaded a single 3-line php file containing
<?php
phpinfo();
?>

And still get "Error 500; Premature end of script headers: php_test.php".
This is just calling the phpinfo() function. What gives? I have tried changing the CHMOD settings to 777, 755, 750, 700, and probably few others, what should I do to get any sign of life from PHP?
spraxyt
Resting Legend
Posts: 10,063
Thanks: 674
Fixes: 75
Registered: ‎06-04-2007

Re: new ccgi permissions

A PHP file with that content works for me - permissions 0700.
Are you sure there isn't a hidden .htaccess file in the directory?
David
David
pcr
Dabbler
Posts: 10
Registered: ‎16-03-2010

Re: new ccgi permissions

Quote from: spraxyt
A PHP file with that content works for me - permissions 0700.
Are you sure there isn't a hidden .htaccess file in the directory?
David

I have just set it back to 0700 - nothing.
.htaccess is not there, I'm positive. Yesterday, I was trying everything, so I was reading the thread
http://community.plus.net/forum/index.php/topic,84267.16.html
where Gabe was suggesting changes to .htaccess file. I put in some general .htaccess file and tried to make the settings suggested, but when it didn't work, I removed it.
Ben_Brown
Grafter
Posts: 2,839
Registered: ‎13-06-2007

Re: new ccgi permissions

pcr - I've had a quick look on the filesystem and your home directory had the wrong group. I'm not sure how this happened but will look into that later. I've corrected it now, so your site should now work - the php_test.php page certainly does now.
pcr
Dabbler
Posts: 10
Registered: ‎16-03-2010

Re: new ccgi permissions

Quote from: Ben
pcr - I've had a quick look on the filesystem and your home directory had the wrong group. I'm not sure how this happened but will look into that later. I've corrected it now, so your site should now work - the php_test.php page certainly does now.

Hello Ben,
Thank you very much for that. The PHP now indeed returns the output. Hope the Joomla installation will go smoothly as well.
Thank you again, we were slowly going crazy.
ninjanik
Newbie
Posts: 9
Registered: ‎03-08-2007

Re: new ccgi permissions

i'm trying to get Gabe's permissions script to work but keep running into the error:
Premature end of script headers: permissions.cgi
I've copied the script into the root directory and set permissions to 700.
I've disabled my .htaccess file (just to make sure) but keep getting the same error.
Is there anything else I need to do?
thanks
Nick
ninjanik
Newbie
Posts: 9
Registered: ‎03-08-2007

Re: new ccgi permissions

Quote
i'm trying to get Gabe's permissions script to work but keep running into the error:
Premature end of script headers: permissions.cgi
I've copied the script into the root directory and set permissions to 700.
I've disabled my .htaccess file (just to make sure) but keep getting the same error.
Is there anything else I need to do?
thanks
Nick

Managed to sort it - CR/LF issue.  Roll_eyes
fforchlas
Dabbler
Posts: 15
Registered: ‎23-03-2010

Re: new ccgi permissions

this exact same thing has happened to me..... what do you mean by "run the script"
i already had this code before i upgraded....
help!
bethan
spraxyt
Resting Legend
Posts: 10,063
Thanks: 674
Fixes: 75
Registered: ‎06-04-2007

Re: new ccgi permissions

Quote from: fforchlas
..... what do you mean by "run the script"

Assuming the script (permissions.cgi, if that's what you called it) has its own permissions set to 0700, to run it you type
http://ccgi. … /permissions.cgi in your browser's address line and press enter.
That executes (runs) the script and the results should be displayed in the browser window.
David
David