Ownership of a file in unix file system

[Guest]

I need to create a file on a web server (running unix) and set its permission so
that no-one, except with correct ftp username & password can download or view it.
On my wwww server I've created test.pl. When I go to
www.notareal.com/cgi-bin/test.pl
Firefox shows "Hello world" as expected. When I use a FTP program the check if
newtext.tx has been created it's there OK.

The problem is that I cannot download the newtext.txt or view it. I can delete it
but that's just about it.


Here is a simple test.pl:

#!/usr/bin/perl
print "Content-Type: text/html; charset=iso-8859-1\n\n";
print '<html><BODY>';
open(TEKSTI,">newtext.txt");
print TEKSTI "just testing";
close(TEKSTI);
chmod 0600,"newtext.txt"; ## The problem line
print "Hello world</body> </HTML>";



If I leave out the problem line everything works but the file is set as 644 and
not 600. Can I leave it as 644? Can someone without user name and password still
access it from browsers or other program?

I tried this on another www page and it worked there ok.

 

[Eric Pozharski]

The problem is that I cannot download the newtext.txt or view it. I
can delete it but that's just about it.

(honestly, it's hard to grok wnat you want to say, so I left what makes
most sense to me) Your subject is correct. Have you tried to access
that file with browser? I suppose you would succeede. My understanding
is, that's not what you want either. The problem is that your
www-server and ftp-server are running with different UIDs. Permissions
are owner-group-others. But the 'owner' here isn't you. It's from
/etc/passwd. If that's a shared hosting (if I use correct term), then
probably for kernel *you* do not exist at all.

If you have a place in the filesystem, where www-server can write
(create files) and ftp-server would allow you (as authenticated user)
and disallow any other user to read files then create your file there.
But probably your ftp-home (where you, as ftp-user, can manipulate
files) is document-root of your www-server. Then you should configure
you www-server to forbid access to that file. It would forbid access
from outside, your cgi-scripts would stay unaffected. How you could do
either way is off-topic here. You should find other newsgroup then.

*CUT*

 

[blmblm]

I think your question might be more a UNIX / web server question
than a Perl question, and you might get better answers somewhere
else (though I'm not sure what group to recommend). But maybe
I can say/ask a few marginally useful things:

I need to create a file on a web server (running unix) and set its permission so
that no-one, except with correct ftp username & password can download or view it.

What do you mean by "correct ftp username & password" here?

On my wwww server I've created test.pl. When I go to
www.notareal.com/cgi-bin/test.pl
Firefox shows "Hello world" as expected. When I use a FTP program the check if
newtext.tx has been created it's there OK.

"There"? Where? (This affects which users can access it.)

The problem is that I cannot download the newtext.txt or view it. I can delete it
but that's just about it.


Here is a simple test.pl:

#!/usr/bin/perl
print "Content-Type: text/html; charset=iso-8859-1\n\n";
print '<html><BODY>';
open(TEKSTI,">newtext.txt");
print TEKSTI "just testing";
close(TEKSTI);
chmod 0600,"newtext.txt"; ## The problem line
print "Hello world</body> </HTML>";



If I leave out the problem line everything works but the file is set as 644 and
not 600. Can I leave it as 644? Can someone without user name and password still
access it from browsers or other program?

644 is world-readable, so the answer is sort of "yes", though it
also depends on permissions of enclosing directories.

I tried this on another www page and it worked there ok.

"Another www page"? do you mean another CGI program, or what?

One question I would ask is this: What does newtext.txt show as
its owning UID? (I'm thinking it might be a UID belonging to the
Web server, and that might not be what you intended.)

 

[Michael Vilain]

I need to create a file on a web server (running unix) and set its permission
so
that no-one, except with correct ftp username & password can download or view
it.
On my wwww server I've created test.pl. When I go to
www.notareal.com/cgi-bin/test.pl
Firefox shows "Hello world" as expected. When I use a FTP program the check
if
newtext.tx has been created it's there OK.

The problem is that I cannot download the newtext.txt or view it. I can
delete it
but that's just about it.


Here is a simple test.pl:

#!/usr/bin/perl
print "Content-Type: text/html; charset=iso-8859-1\n\n";
print '<html><BODY>';
open(TEKSTI,">newtext.txt");
print TEKSTI "just testing";
close(TEKSTI);
chmod 0600,"newtext.txt"; ## The problem line
print "Hello world</body> </HTML>";



If I leave out the problem line everything works but the file is set as 644
and
not 600. Can I leave it as 644? Can someone without user name and password
still
access it from browsers or other program?

I tried this on another www page and it worked there ok.

The problem with creating files via a web browser is the the process
that creates them is the owner of the file. Depending on how you setup
your web server and what web server it is (usually it's Apache), it will
be something like www or nobody. That's a configuration option. So,
you create a file with permissions rw------- (600), only www will be
able to read it.

When you ftp into the machine and login, you're that user's ID (i.e.
userA). If the web server created the file to only allow www to read
and write it, then userA won't be able to.

In shared web hosting environments, a way around this is to setup the
web server to run CGI scripts under the user you want to create the
file. There's a program you can compile and install that allows you to
run a CGI script as a specific user. Look for cgiwrap in Google.
You'll have to compile and install it as a SUID program and modify the
path in your html page that calls the script.

There may be a way to run Apache in a shared environment to allow for an
instance to run as a specific user, but it would require some sort of
authentication. cgiwrap bypasses that.

All this is irrelevant if you're running in a shared web hosting
environment. Check with your ISP on how you do this on their system.

 

[John]

I think your question might be more a UNIX / web server question
than a Perl question, and you might get better answers somewhere
else (though I'm not sure what group to recommend). But maybe
I can say/ask a few marginally useful things:


What do you mean by "correct ftp username & password" here?

I create the TEST.PL file with a notepad program on my home computer. Then I
upload it to the web server using FileZilla (an ftp client program). I also use
FileZilla to download the NEWTEXT.TXT file to see what's in it. To log on to the
server I need username and password.

"There"? Where? (This affects which users can access it.)

On the web server. Users access via web using, say, Firefox and going to
www.notareal.com/cgi-bin/test.pl
Once they see "Hello World" they should be able to go to
www.notareal.com/cgi-bin/newtext.txt
or atleast something should come up on the browser.

644 is world-readable, so the answer is sort of "yes", though it
also depends on permissions of enclosing directories.


"Another www page"? do you mean another CGI program, or what?

I uploaded the very same TEST.PL on www.anotherofmyhomepages.com and then used
Firefox to see if I get an 404 error or "Hello world". I get the greeting. In
addition to greeting message a file NEWTEXT.TXT should have been created on the
server (it has).

One question I would ask is this: What does newtext.txt show as
its owning UID? (I'm thinking it might be a UID belonging to the
Web server, and that might not be what you intended.)

When I use Filezilla to look at the file listing on the server I see the
NEWTEXT.TXT is 0600 80 80 which means that its a file that owner (me) can modify
and read but not some anonymous user. The "80 80" means owner is "no-one".

On www.anotherofmyhomepages.com NEWTEXT.TXT is 0600 80 80 and it can be accessed,
modified, deleted withe FileZille ftp client program.
However, on www.notareal.com NEWTEXT.TXT is also 0600 80 80 and but it can only
be deleted with FileZille ftp client program. Any modification (change 0600 ->
0755 etc), download is not possible.

What I am thinking is that is the some other Perl command I should use for
compatibility. Or is there some guideline that "you should not create files in
cg-bin directory" etc.

 

[Jürgen Exner]

I need to create a file on a web server (running unix) and set its permission so
that no-one, except with correct ftp username & password can download or view it.
On my wwww server I've created test.pl. When I go to
www.notareal.com/cgi-bin/test.pl
Firefox shows "Hello world" as expected. When I use a FTP program the check if
newtext.tx has been created it's there OK.

Your question has absolutely nothing to do with Perl.

Investigate under which userID the web server is running this specific
task, investigate which userID is used as the effective UID in the FTP
program, and maybe even understand how permissions work on Unix (for
some people they are non-intuitive).
And then configure your web server and your FTP server such that the
file is created with the desired userID (check it using a shell!!!) and
you should be all set.

jue

 

[blmblm]

(I guess you're the OP, although you seem to be using a different
identity to reply .... Just sayin'.)

I create the TEST.PL file with a notepad program on my home computer. Then I
upload it to the web server using FileZilla (an ftp client program). I also use
FileZilla to download the NEWTEXT.TXT file to see what's in it. To log on to the
server I need username and password.

Okay, so you want access to the generated file (newtext.txt) to
happen only if you supply this username and password?

On the web server. Users access via web using, say, Firefox and going to
www.notareal.com/cgi-bin/test.pl
Once they see "Hello World" they should be able to go to
www.notareal.com/cgi-bin/newtext.txt
or atleast something should come up on the browser.

But now you seem to be saying that anyone who can (successfully)
point a browser at the CGI program should also be able to view the
generated file. ?

I uploaded the very same TEST.PL on www.anotherofmyhomepages.com and then used
Firefox to see if I get an 404 error or "Hello world". I get the greeting. In
addition to greeting message a file NEWTEXT.TXT should have been created on the
server (it has).

That it doesn't work the same way on the two sites isn't totally
surprising -- they could have their Web servers configured differently.
(Some of the other replies to your original post have given some
specifics about that.)

When I use Filezilla to look at the file listing on the server I see the
NEWTEXT.TXT is 0600 80 80 which means that its a file that owner (me) can modify
and read but not some anonymous user. The "80 80" means owner is "no-one".

On www.anotherofmyhomepages.com NEWTEXT.TXT is 0600 80 80 and it can be accessed,
modified, deleted withe FileZille ftp client program.
However, on www.notareal.com NEWTEXT.TXT is also 0600 80 80 and but it can only
be deleted with FileZille ftp client program. Any modification (change 0600 ->
0755 etc), download is not possible.

But *this* difference makes no sense to me -- it seems to me that the
permissions and ownership are the same on both, so why would what you
can do with the file be different? Hm.

Is it at all possible that the owning UIDs are different despite what
FileZilla is telling you??

What I am thinking is that is the some other Perl command I should use for
compatibility.

I'm really, really skeptical that you will be able to solve this
problem by doing something with your Perl program. I could be
wrong, but it seems to me that the problem here has more to do
with how the systems you're trying to work with are configured,
and that you should either ask this question again in another group
where such questions are on-topic, or possibly ask the tech-support
people at www.notareal.com and/or www.anotherofmyhomepages.com.

Or is there some guideline that "you should not create files in
cg-bin directory" etc.

Well, it seems to me that there are security risks associated with
a world-accessible CGI program being able to create files on the
Web server. I know so little about this that I hesitate to say
any more than that, but I know I've hesitated to deploy CGI scripts
that need to create/modify files because I didn't feel like I knew
enough to do so safely and didn't quite have the time and inclination
to dig into the subject.