[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] PHP upload/dir permissions

AC> Date: Tue, 17 Jun 2003 15:08:26 +0100
AC> From: Andy Clyde


AC> i have 'open_basedir' and 'upload_tmp_dir' set on a per site basis in
AC> /etc/httpd.conf but this still wasn't working - the script was defaulting to
AC> /tmp and not /home/sites/siteXX/tmp as it should have been. i eventually
AC> solved this by changing the permissions on /home/sites/siteXX/tmp to 777.
AC> it also seems that i need to chmod 777 all the directories in the path where
AC> the tmp.uploaded.file is to be saved.
AC>
AC> this seems a bit dangerous. is there a workround? or is it safe?

Yes, it's dangerous, for obvious reasons.  When uploading files,
httpd runs as its own user, and NOT the site's owner.

Common workaround:

Let the files go to /tmp and be owned by httpd's user.  Use FTP
as a "permissions gateway" to log in to the user's site and
"upload" the file that way.  It works, but means storing the
user's password in httpd-readable file...

Big drawback to traditional *ix is the total lack of fine-grained
permissions.  Solaris and some other commercial flavors have
dealt with this.  FreeBSD has good ACL support in the works.  I
think some work has been done for Linux, but I don't know what
the status is.


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita
_________________________________________________________________
          DO NOT send mail to the following addresses :
  blacklist@xxxxxxxxx -or- alfra@xxxxxxxx -or- curbjmp@xxxxxxxx
Sending mail to spambait addresses is a great way to get blocked.