[thelist] CF on Unix... file upload problems...

Eric Cestari eric at ohmforce.com
Fri Feb 23 12:34:01 CST 2001


Of course, it is a security risk.
This directory is world writable.
But, then, if you want to handle file uploads, well, the httpd process
has to be able to write in the dir.
And where the process can write, there a security risk.

As far as file permissions are concerned, change the directory owner to
httpd's owner.

But do check the size, mime-type and whatever to ensure you are best
aware of what is uploaded (even though faking can overcome the mime-type
check).

And do not put this directory into $PATH. (very unlikely, though :)

Cheers,
	Eric
walker wrote:
> 
> Hey- that ps command is pretty cool!
> 
> I think I need to take a class in Unix.
> 
> to solve the prob, I didn't change the owner of the dir, I just changed the
> permissions to 757...
> 
> sounds like your solution is more to the point...
> 
> is making the directory 757 a security risk?
> 
> thanks
> 
> -w
> 
> At 10:45 AM 2/23/2001 -0600, you wrote:
> >Hey special ed -
> >
> >who is the directory owned by? ls -l will show you.. also, what group is
> >it in? Lastly, find out what user CF is running as(do a ps -aux on linux
> >or ps -efx(i think..) on solaris) and find the CF process'.. they're
> >probably running as 'nobody', so you need to make your directory either
> >owned by nobody( chown nobody /home/specialed/data ) with read/write
> >perms( chmod 644 /home/specialed/data ) or give the nobody group(not user)
> >read write permission ( chgrp nobody /home/specialed/data ) ( chmod 664
> >/home/specialed/data )
> >
> >That should do the trick.. Shout if you have more questions :)
> >
> >.djc.


-- 
==================================+========================
Eric Cestari                      |               Ohm Force
Chief Web Designer                |  Digital Audio Software
mailto:eric.cestari at ohmforce.com  | http://www.ohmforce.com
==================================+========================




More information about the thelist mailing list