[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] PHP upload/dir permissions
- Subject: Re: [cobalt-security] PHP upload/dir permissions
- From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
- Date: Tue, 17 Jun 2003 15:32:21 +0000 (GMT)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
AC> Date: Tue, 17 Jun 2003 15:08:26 +0100
AC> From: Andy Clyde
AC> i have 'open_basedir' and 'upload_tmp_dir' set on a per site basis in
AC> /etc/httpd.conf but this still wasn't working - the script was defaulting to
AC> /tmp and not /home/sites/siteXX/tmp as it should have been. i eventually
AC> solved this by changing the permissions on /home/sites/siteXX/tmp to 777.
AC> it also seems that i need to chmod 777 all the directories in the path where
AC> the tmp.uploaded.file is to be saved.
AC>
AC> this seems a bit dangerous. is there a workround? or is it safe?
Yes, it's dangerous, for obvious reasons. When uploading files,
httpd runs as its own user, and NOT the site's owner.
Common workaround:
Let the files go to /tmp and be owned by httpd's user. Use FTP
as a "permissions gateway" to log in to the user's site and
"upload" the file that way. It works, but means storing the
user's password in httpd-readable file...
Big drawback to traditional *ix is the total lack of fine-grained
permissions. Solaris and some other commercial flavors have
dealt with this. FreeBSD has good ACL support in the works. I
think some work has been done for Linux, but I don't know what
the status is.
Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita
_________________________________________________________________
DO NOT send mail to the following addresses :
blacklist@xxxxxxxxx -or- alfra@xxxxxxxx -or- curbjmp@xxxxxxxx
Sending mail to spambait addresses is a great way to get blocked.