Next / Previous / Index / TCC Help System / Publications / Site map / NM Tech homepage

HTML Server Side Includes: Permission problems

Sometimes a SSI (Server Side Includes) script, as executed by a  SSI tag, will need to write to a file.

Because SSI scripts run as user ``nobody,'' they will not have the same permissions as they would if they were run by you. (See `Controlling access to your files' for background information about permissions.)

So if a script needs to write to a file, you have two choices:

You could set the permissions on the file to ``world writeable,'' so even user ``nobody'' can write to it. This is not a good idea, though, because then anyone can alter or delete the file.
There is a special permission called ``setuid'' or ``suid.'' If this permission is set on a program or script, then that program or script runs as if it were being run by the owner of the program or script. So if your program is owned by you and has the suid bit set, it can access your files without those files being world writeable. See the sections below.

Compiled programs

If the program you want to execute from SSI is in a compiled language such as C or C++, you must observe these precautions:

You must compile the program in such a way that it will run on our Web server, infohost.nmt.edu. This is currently a Linux system, so be sure to compile and test the program on a Linux box.
When you have compiled the program, if you need setuid permission on it (see above), use this command:
```
      chmod 4755 binary
```
where binary is the executable form of your program.

Scripting languages

The application you want to execute from SSI may be in a scripting language such as bash, Python, Perl, or the like (with its first line having the form "#!pathname").

If the script does not need the setuid permission, and can run as user ``nobody,'' there is no problem.

However, due to security considerations, our Web server disregards the setuid permission for all scripts executed from SSI #exec tags or as CGI scripts. So even if you add the setuid permission to your script, it will still run as nobody.

In this case, you can still get the script to run as setuid, but you must supply a ``wrapper'' program in a compiled language, and add the setuid permission on the compiled form of this wrapper program.

Here is a complete, simple wrapper program in C that will do the job:

main (argc,argv)
int  argc;
char **argv;
{ 
  execv("path",argv);
}

where path is the absolute pathname of the script. To set up the wrapper:

Copy the above program to a file in the same directory as your script, and call it something like run.c.
Substitute the name of your script in the execv(...) line.
Make sure you are on a Linux platform for the compilation step below.
Compile the program using a command like:
```
      gcc run.c -o run
```
Give the executable setuid permission using something like:
```
      chmod 4755 run
```

See also: Using HTML Server Side Includes (SSI)
Previous: HTML Server Side Includes: exec
Site map
Index: Keyword index to help pages
Help: New Mexico Tech Computer Center: Help System
TCC Publications
Home: About New Mexico Tech

John Shipman, john@nmt.edu

HTML Server Side Includes: Permission problems

Compiled programs

Scripting languages

Last updated: 2000/07/28 22:51:14 UT URL: http://www.nmt.edu/tcc/help/html/ssi_suid.html

Last updated: 2000/07/28 22:51:14 UT
URL: http://www.nmt.edu/tcc/help/html/ssi_suid.html