httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] Folder Permissions
Date Fri, 06 Jun 2003 13:53:25 GMT

On Fri, 6 Jun 2003, Mario Antonio wrote:
> I got a security concern.
> When using a php script that uploads files to the server, I need to give
> write permissions to everybody in that specific folder (within the
> public_html folder)
>
> When a file is uploaded, That file is now owned by "WWW" (apache user) and
> its group remains the same (the  user's group that owns that folder)
>
> These are the permissions of that specific folder:
> drwxrwxrwx  2 myuser  myuser    512 Jun  5 15:24 myfolder_to_upload

This folder should be owned by www and should have write permissions only
for the owner.

>
> And these are the permissions of the file that is uploaded:
> -rw-r--r--  1 www     myuser    58880 Jun  5 14:11 my_uploaded_file.doc
>
> is this Ok? or is it something that I should stay away from?
> If it is such a security threat, How to provide a safe environment to
> upload files through  web scripts?

This is "relatively" safe if:

1. You restrict access to the www user to only trusted people; and

2. Only trusted people are allowed to author any sort of script
(cgi/perl/php) on the server.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message