Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 41034 invoked by uid 500); 6 Jun 2003 13:53:57 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 40966 invoked from network); 6 Jun 2003 13:53:55 -0000 Received: from ny2.fastmail.fm (HELO smtp.us2.messagingengine.com) (66.111.4.3) by daedalus.apache.org with SMTP; 6 Jun 2003 13:53:55 -0000 Received: from www.fastmail.fm (server1.internal [10.202.2.132]) by server2.messagingengine.com (Postfix) with ESMTP id 3DB6261BFC for ; Fri, 6 Jun 2003 09:53:55 -0400 (EDT) Received: from 127.0.0.1 ([127.0.0.1] helo=www.fastmail.fm) by messagingengine.com with SMTP; Fri, 06 Jun 2003 09:53:55 -0400 X-Epoch: 1054907635 X-Sasl-enc: Vdhdl9CT7PpXnIPnFbn1/w Received: from usager70-65.hec.ca (usager70-65.hec.ca [132.211.70.65]) by www.fastmail.fm (Postfix) with ESMTP id 2EF202406B for ; Fri, 6 Jun 2003 09:53:53 -0400 (EDT) Date: Fri, 6 Jun 2003 09:53:25 -0400 (=?ISO-8859-1?Q?Est_=28heure_d'=E9t=E9=29?=) From: Joshua Slive To: users@httpd.apache.org In-Reply-To: <00b801c32c32$4d67c8a0$13c01dd0@webjogger.net> Message-ID: References: <00b801c32c32$4d67c8a0$13c01dd0@webjogger.net> X-X-Sender: slive@www.fastmail.fm MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: Re: [users@httpd] Folder Permissions On Fri, 6 Jun 2003, Mario Antonio wrote: > I got a security concern. > When using a php script that uploads files to the server, I need to give > write permissions to everybody in that specific folder (within the > public_html folder) > > When a file is uploaded, That file is now owned by "WWW" (apache user) and > its group remains the same (the user's group that owns that folder) > > These are the permissions of that specific folder: > drwxrwxrwx 2 myuser myuser 512 Jun 5 15:24 myfolder_to_upload This folder should be owned by www and should have write permissions only for the owner. > > And these are the permissions of the file that is uploaded: > -rw-r--r-- 1 www myuser 58880 Jun 5 14:11 my_uploaded_file.doc > > is this Ok? or is it something that I should stay away from? > If it is such a security threat, How to provide a safe environment to > upload files through web scripts? This is "relatively" safe if: 1. You restrict access to the www user to only trusted people; and 2. Only trusted people are allowed to author any sort of script (cgi/perl/php) on the server. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org