[ee122] Permissions

[Richard Schmidt]

Thanks for the input. I've never used errno.h but now I see that it
should be fairly straightforward to use.

I'm guessing that I can also use this method to detect if the file
exists by checking the errno for ENOENT? That'd be much cleaner than
what I'm doing right now.

Thanks again,
Rick

On 10/13/07, Christopher Cowart <ccowart at berkeley.edu> wrote:
> On Sat, Oct 13, 2007 at 07:38:22PM -0700, Richard Schmidt wrote:
> > At first I thought that I was to use the "others" permission status to
> > determine whether or not someone can read my private/diary.html
> >
> > But when I create a file, I noticed that none of them have this
> > permission flagged (nither r,w, or x).
> >
> > Am I supposed to use this "others" portion to determine permission
> > status, and if so, do I need to use chmod to change read status for
> > "others"? I don't really know (yet) how to do this.
>
> The prevailing wisdom in UNIX software is to let the OS figure it out
> for you. You'll often see reports of vulnerabilities "can run arbitrary
> code with the permissions of the user."
>
> When you run a web server as httpd or www or ee122-cx, it should be able
> to read files as follows:
> -r--------  If it owns them.
> dr-x------
>
> -r--r-----  If the group matches any group to which the effective uid of
> dr-xr-x---  the daemon belongs.
>
> -r--r--r--  Always.
> dr-xr-xr-x
>
> The reason you probably associate "web server" with "world-readable" is
> that in many environments, you get a ~/public_html folder. In order for
> the uid of the httpd process to read files in there, they generally do
> need to be world-readable.
>
> If the call to open returns -1 and sets errno, you can check it for a
> permission denied value and return your 403. I think most other errors
> that open may return are probably more appropriately labeled as 500
> errors.
>
> --
> Chris Cowart
>
>