perldoc perlsec question

el_roachmeister · Feb 4, 2005

Why does perlsec recommend setting scripts to chmod 755 ? Why would I
want anyone other than the user having read access to my scripts? I use
711 for all scripts. Is that wrong?

Thanks!

xhoster · Feb 4, 2005

Why does perlsec recommend setting scripts to chmod 755 ? Why would I
want anyone other than the user having read access to my scripts?

Why not? We can't read your mind.

I use
711 for all scripts. Is that wrong?

Well, it is pointless. If you want to be antisocial, just
go with 700.

Xho

Gunnar Hjalmarsson · Feb 4, 2005

Why does perlsec recommend setting scripts to chmod 755 ? Why would I
want anyone other than the user having read access to my scripts? I use
711 for all scripts. Is that wrong?

If the server lets you execute them without the read bit, it cannot
reasonably be wrong. Many servers require 755, though.

el_roachmeister · Feb 4, 2005

i forgot to mention, 711 would be for my cgi scripts. I would not want
visitors reading my source code. I assume most people use perl for cgi
so setting scripts to 755 is a huge security loophole, no?

Gunnar Hjalmarsson · Feb 4, 2005

i forgot to mention, 711 would be for my cgi scripts.

Maybe, if that works for you, do you possibly have e.g. suEXEC or
cgiwrap, so that CGI scripts are run as you? In that case, you can
probably set permission 700 as well.

I would not want visitors reading my source code. I assume most people use perl for cgi
so setting scripts to 755 is a huge security loophole, no?

If you are talking about people who navigate your site via the web: No.
Provided that the web server has been sensibly configured, they can
still not read the source. But it may be true as regards other users in
a shared environment.

el_roachmeister · Feb 4, 2005

thanks for the info. i think my web server was "unsensibly" configured
as people could read my perl source code for cgi-bins in my subdomains.
If I had a script like this:

subdomain.domain.com/cgi-bin/script.pl

it would execute fine. But if the user typed:

www.domain.com/subdomain/cgi-bin/script.pl

then it would just reveal all the plain text source code! I was shocked
to see that which is why I am now paranoid about chmod I do on all my
scripts :-(

Martin Kissner · Feb 4, 2005

thanks for the info. i think my web server was "unsensibly" configured
as people could read my perl source code for cgi-bins in my subdomains.
If I had a script like this:

subdomain.domain.com/cgi-bin/script.pl

it would execute fine. But if the user typed:

www.domain.com/subdomain/cgi-bin/script.pl

then it would just reveal all the plain text source code! I was shocked
to see that which is why I am now paranoid about chmod I do on all my
scripts :-(

If this happens IMHO the webserver is not configured safely.
Directories which contain cgi scripts should not be world readable at
all.
The DocumentRoot of the subdomain shouldn't be within the domain's
Documentroot.
If it is not avoidable www.domain.com/subdomain/cgi-bin/ should get a
ScriptAlias directive within the subdomain and the domain.

Regards
Martin

Tutorial question - perldoc perlxs - learning how to write XS-basedcode	3	May 15, 2010
"pack" perldoc error?	3	Nov 5, 2003
Linux distribs lacking perldoc	4	Jul 25, 2005
Old LOCKFILE warning on github repo - I cant run the app locally	1	Apr 21, 2023
Can someone tell me what's wrong with this question on StackOverflow?	0	Aug 18, 2023
OS X and perldoc	6	Oct 2, 2006
ri and rdoc....like perldoc?	7	Jul 7, 2010
Perldoc security issues	9	Sep 12, 2005

perldoc perlsec question

el_roachmeister

xhoster

Gunnar Hjalmarsson

el_roachmeister

Gunnar Hjalmarsson

el_roachmeister

Martin Kissner

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads