Scripts losing +x

hairydog · 26 August 2020 14:23

Problem Description

A client has a website that uses perl scripts. They work just fine as long as they have chmod +x but every time sympl-filesystem-security runs, it removes the +x
I’ve put a file called disable-filesystem-security in the config folder, but that hasn’t stopped it.

Any Error Messages

replace this text with messages or log entries

Environment

Sympl Version [9.0/10.0]: 10
Sympl Testing Version? [Yes/No] no
Debian Version [Buster/Stretch]: buster
Hardware Type? [Dedicated/Virtual/Pi] dedicated
Hosted On? [name of hosting co] Bytemark

hairydog · 26 August 2020 14:29

Aha! Despite not finding it in a search, after I posted that, the website suggested another topic, where it says I need do-not-secure rather than disable-filesystem-security
Added that, and the problem has stopped.
However, that doesn’t get away from the fact that .pl files ought to be allowed to keep their +x attribute.

Anahata · 28 August 2020 08:38

Perhaps the config directory is not the best place to put scripts?
On one domain I have created a directory /srv/example.com/scripts which contains a couple of executables, and they keep their +x attribute.
I just thought it would be tidier to make a new directory for them: I didn’t know I’d inadvertently solved a potential problem with sympl-file-system-security.

hairydog · 28 August 2020 09:06

The scripts are in public/htdocs/cgi-bin
It’s the file to turn off sympl-filesystem-security that’s in config.
The client doesn’t even have access to config, so they couldn’t use it even if they wanted to.

Anahata · 28 August 2020 12:05

Ah. Turning off +x in cgi-bin doesn’t look like a very sensible idea.
(and my script example was for processing email, so lack of access from the web site wasn’t an issue)

hairydog · 8 September 2020 15:38

Is there a reason why Sympl is removing +x from perl scripts? I don’t use perl much any more, but at least one client does.

Kelduum · 9 September 2020 11:19

So, long story short, cgi-bin scripts should be in /srv/example.com/public/cgi-bin, which is aliased to http://example.com/cgi-bin. This means that if something isn’t executable in there for some reason, the source won’t get exposed.

However, by default sympl-filesystem-security locks down everything in public/ fairly blindly - logs, htdocs, etc, and will strip anything of an executable bit - obviously this will just break anything in public/cgi-bin.

I’ve got an issue logged and a fix going into the testing branch soon that will ignore the contents of public/cgi-bin (but still reset permissions on public/cgi-bin itself):

Kelduum · 10 September 2020 01:19

This should now be fixed in all versions - any items in public/cgi-bin are exempt from having their permissions adjusted.

Let me know how you get on!

hairydog · 22 September 2020 14:37

Today, I switched it back on on a site that had an issue before
This is what I got:
/etc/cron.hourly/sympl-filesystem-security:
find: paths must precede expression: /srv/domainname.co.uk/public/cgi-bin/nms2mail.pl' find: possible unquoted pattern after predicate -path’?
run-parts: /etc/cron.hourly/sympl-filesystem-security exited with return code 1

Kelduum · 23 September 2020 14:27

I’ve just pushed an update for this which should fix it fully - let me know how it goes.