In order for a CGI script to work, the permissions on the script must be set to allow the script to do what it needs to do. For example, a CGI script must always be set to allow execute access (running of the script); for scripts that need to update files, permissions must be set to allow write access to those files.

It's not that complicated once you have installed a few CGI scripts; however, there are different ways to say the same thing when it comes to permissions. This page is meant to provide an overview of the various types of permissions, how they are written and how to set them.

The information provided in this document assumes that you have some experience with CGI scripts and understand basic file permissions.

Default Permissions: Files

When you create a file on the web server or upload a file to the server using FTP, a set of default permissions are assigned to the new file. These permissions would look something like this:

-rw-r--r--   index.html

These permissions allow:

• the owner (you) to read and write the file (indicated by rw-)
• the group (other users in the server in the same group as you) to read (indicated by r--)
• the world (everyone on the server, including the web server) to read (indicated by r--)

The leading character differentiates between files and directories (with a - indicating a file and a d indicating a directory).

These default permissions can also be written using a numeric mask, where the numbers indicate the permissions settings. The numeric mask for these default settings would be "644" (sometimes also written as "0644", "chmod 0644" or "chmod 644"). The numeric mask is mentioned since it is often the notation used in CGI script help files. It's good to be able to convert that to a permission you understand and know how to set.

Default Permissions: Directories

When you create a directory, the default permissions are something like this:

drwxr-xr-x   public_html

These permissions allow:

• the owner to read, write and execute the directory (indicated by rwx)
• the group to read and execute the directory (indicated by r-x)
• the world to read and execute the directory (indicated by r-x).

Execute permissions are needed for directories so that you can access the directory. It does not mean that the directory will be executed (it is not a program) but rather allows the user to enter the directory and read the file listing.

The numeric mask for these default settings would be 0755. 

Setting Execute Permissions: Files

When a file is a CGI script, execute permissions need to be set in order to allow the script to execute (run). The proper permissions are something like this:

drwxr-xr-x   script.cgi

These permissions allow:

• the owner to read, write and execute the directory (indicated by rwx)
• the group to read and execute (indicated by r-x)
• the world to read and execute (indicated by r-x)

The numeric mask for these permission settings would be 0755.

Setting Write Permissions: Files

When a CGI script needs to update a file, the permissions need to be set in order to allow the script to read and write the file. The proper permissions are something like this:

-rw-rw-rw-   file.html

These permissions allow:

• the owner to read and write the file (indicated by rw-),
• the group to read and write (indicated by rw-)
• the world to read and write (indicated by rw-). 

The numeric mask for these permission settings would be 0666.

You should NEVER set a CGI script to 0666. This would mean that anyone could edit the script and add whatever commands they wanted to the program. That is a significant security risk.

Setting Write Permissions: Directories

When a CGI script needs to update a directory (ie - create a new file), the permissions need to be set to allow everyone to read, write and execute the directory. The proper permissions are something like this:

drwxrwxrwx   directory

These permissions allow:

• the owner to read, write and execute the directory (indicated by rwx)
• the group to read, write and execute the directory (indicated by rwx)
• the world to read, write and execute the directory (indicated by rwx)

Remember, directory permissions need to be set to execute in order to access the directory.

The numeric mask for these permission settings would be 0777.

Just because you can write to a directory does not mean that you can write to all files in a directory. For directories, write permissions mean that you can create new files, but they do not mean that you can update existing files. Existing files can only be updated if the permissions on those files are set to allow writing.

Summary

This table summarizes the information presented above: