Re: IFS File permissions

Hello,

On 1/26/2012 11:17 AM, Pete Helgren wrote:

Yep. I would rather use the IFS but I think all I saw in the CGIDEBUG
file was "cannot open file" and "permission denied" (I don't have the
exact wording because I cleared the member). The folders and files all
had QTMHHTTP with *RX permissions and the Apache log had nothing to add.

CGI programs do not typically run under userid QTMHHTTP. They run under QTMHHTP1 by default. (Though, my shop, and others I've worked with like to change this to make the user sign-in and access files under their own authority.)

The folder I was trying to access had the following directory entry in
the config file:

<Directory /www/myfolder/htdocs/myapps>
Options None
order allow,deny
allow from all
</Directory>

You should NOT have this for your template files.

This is to allow the HTTP server to send the file (the IFS file in the directory, above) to the browser. You don't want the browser to receive this file directly, do you?

When the HTTP server calls a CGI script (aka your program) it only needs authority to run the program. It doesn't access the file directly (indeed, it doesn't even know there's a file involved -- some of the CGI scripts I've written don't even use template files.)

It's your *program* (via calls to the CGISRVPGM2 service program) that access the files. Program access to files works the same in CGI as it does anywhere else... it uses the operating systems object-level security.

By opening up the /www/myfolder/htdocs/myapps directory in the Apache config as you've done, you've made it possible for browsers to read your template files directly without calling your program. Depending on the environment, this could be a huge security hole.