httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Faheem Mitha <fah...@email.unc.edu>
Subject [users@httpd] creating and serving temporary files with apache
Date Fri, 21 Oct 2005 03:45:55 GMT

Dear People,

I'm fairly new to apache administraction, so I apologise in advance if this an 
obvious question.

I am running Apache on Debian Sarge. It is running some CGI scripts, which 
allow a web client (browser) to upload data, process it, and then return 
the process results to the client in the form of clickable links which 
correspond to the results.

Let us assume for the purpose of this question that I have a CGI script along 
with other web pages, located in /var/www/data, which needs to write temporary 
files for the purpose described above.

My question is as follows. What is a good place to locate these files, and what 
permissions should be set on these files?

It seems to be clear that allowing apache's user (namely www-data) write 
permission to /var/www/data is a bad idea, because it would allow an attacker 
who obtained the permissions of www-data free access to the web pages there.

However, it is less clear where these files should be put.

First I was thinking of putting them in /tmp, but I am not sure it is a good 
idea for apache to be serving files from /tmp. Also, we require these files to 
be preserved over quite long periods of time, and /tmp is cleared on every 
reboot.

I'm now toying with the idea of putting them in say /var/www/data/tmp, where 
tmp would be owned by www-data (both user and group www-data), and nobody else 
would have write access. Actually, disabling read access might be a good idea 
as well.

What do people think of that? Any other suggestions/opinions?

Thanks in advance. Please cc me on any reply.

                                                                    Faheem.




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message