A client has a website that uses perl scripts. They work just fine as long as they have chmod +x but every time sympl-filesystem-security runs, it removes the +x
I’ve put a file called disable-filesystem-security in the config folder, but that hasn’t stopped it.
Aha! Despite not finding it in a search, after I posted that, the website suggested another topic, where it says I need do-not-secure rather than disable-filesystem-security
Added that, and the problem has stopped.
However, that doesn’t get away from the fact that .pl files ought to be allowed to keep their +x attribute.
Perhaps the config directory is not the best place to put scripts?
On one domain I have created a directory /srv/example.com/scripts which contains a couple of executables, and they keep their +x attribute.
I just thought it would be tidier to make a new directory for them: I didn’t know I’d inadvertently solved a potential problem with sympl-file-system-security.
The scripts are in public/htdocs/cgi-bin
It’s the file to turn off sympl-filesystem-security that’s in config.
The client doesn’t even have access to config, so they couldn’t use it even if they wanted to.
Ah. Turning off +x in cgi-bin doesn’t look like a very sensible idea.
(and my script example was for processing email, so lack of access from the web site wasn’t an issue)
So, long story short, cgi-bin scripts should be in /srv/example.com/public/cgi-bin, which is aliased to http://example.com/cgi-bin. This means that if something isn’t executable in there for some reason, the source won’t get exposed.
However, by default sympl-filesystem-security locks down everything in public/ fairly blindly - logs, htdocs, etc, and will strip anything of an executable bit - obviously this will just break anything in public/cgi-bin.
I’ve got an issue logged and a fix going into the testing branch soon that will ignore the contents of public/cgi-bin (but still reset permissions on public/cgi-bin itself):
Today, I switched it back on on a site that had an issue before
This is what I got:
/etc/cron.hourly/sympl-filesystem-security:
find: paths must precede expression: /srv/domainname.co.uk/public/cgi-bin/nms2mail.pl' find: possible unquoted pattern after predicate -path’?
run-parts: /etc/cron.hourly/sympl-filesystem-security exited with return code 1