How to protect your cgi-bin directory in AFS
From Web Services Wiki
You want to lock down your cgi-bin directory in AFS so that only people you specify have access to the files. This is especially important if you have passwords stored in plain text, such as in a script that connects to a database or an external server.
Set the bare minimum permissions for a script to execute
The following is a list of suggested permissions which grant the web servers, backup servers, and your group, department, or personal CGI principal read and list access. Also, it grants full access to system administrators and your own account or group.
Normal rights: system:cgi-servers rl system:backup rl system:administrators rlidwka [your_sunetid_or_pts_group] rlidwka [cgi_principal_name].cgi rl
First, remove all unnecessary permissions from your cgi-bin. Using a shell, log in and enter the cgi-bin directory. Use
fs la to list the current permissions.
- Use the command
fs sa . [name] noneto remove all permissions from a particular entity.
fs sa . system:anyuser none
Next, set the appropriate permissions to match the example above.
- For example, to give your group, department, or personal CGI principal only read and list access, use the command
fs sa . [cgi_principal_name].cgi rl
Create a PTS group to give additional users access to the directory
Visit IT Services to learn how to create a PTS group. Creating a group is a convenient way to manage multiple users.
Once a PTS group has been created, add it to the ACL as you would any other entity.
- To give read and list access to a group that you created, use the command
fs sa . [account_name]:[group_name] rl
For more information
- AFS at Stanford - informative resource for all AFS-related concerns