[ee122] Permissions

[Christopher Cowart]

On Sat, Oct 13, 2007 at 07:38:22PM -0700, Richard Schmidt wrote:
> At first I thought that I was to use the "others" permission status to
> determine whether or not someone can read my private/diary.html
> 
> But when I create a file, I noticed that none of them have this
> permission flagged (nither r,w, or x).
> 
> Am I supposed to use this "others" portion to determine permission
> status, and if so, do I need to use chmod to change read status for
> "others"? I don't really know (yet) how to do this.

The prevailing wisdom in UNIX software is to let the OS figure it out
for you. You'll often see reports of vulnerabilities "can run arbitrary
code with the permissions of the user."

When you run a web server as httpd or www or ee122-cx, it should be able
to read files as follows:
-r--------  If it owns them.
dr-x------

-r--r-----  If the group matches any group to which the effective uid of
dr-xr-x---  the daemon belongs.                                          
           
-r--r--r--  Always.
dr-xr-xr-x

The reason you probably associate "web server" with "world-readable" is
that in many environments, you get a ~/public_html folder. In order for
the uid of the httpd process to read files in there, they generally do
need to be world-readable.

If the call to open returns -1 and sets errno, you can check it for a
permission denied value and return your 403. I think most other errors
that open may return are probably more appropriately labeled as 500
errors.

-- 
Chris Cowart
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 824 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/ee122/attachments/20071013/ec1edb9b/attachment.bin