AC> Date: Tue, 17 Jun 2003 15:08:26 +0100
AC> From: Andy Clyde
AC> i have 'open_basedir' and 'upload_tmp_dir' set on a per site basis in
AC> /etc/httpd.conf but this still wasn't working - the script was defaulting to
AC> /tmp and not /home/sites/siteXX/tmp as it should have been. i eventually
AC> solved this by changing the permissions on /home/sites/siteXX/tmp to 777.
AC> it also seems that i need to chmod 777 all the directories in the path where
AC> the tmp.uploaded.file is to be saved.
AC>
AC> this seems a bit dangerous. is there a workround? or is it safe?
Yes, it's dangerous, for obvious reasons. When uploading files,
httpd runs as its own user, and NOT the site's owner.
Common workaround:
Let the files go to /tmp and be owned by httpd's user. Use FTP
as a "permissions gateway" to log in to the user's site and
"upload" the file that way. It works, but means storing the
user's password in httpd-readable file...
Big drawback to traditional *ix is the total lack of fine-grained
permissions. Solaris and some other commercial flavors have
dealt with this. FreeBSD has good ACL support in the works. I
think some work has been done for Linux, but I don't know what
the status is.
Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita
_________________________________________________________________
DO NOT send mail to the following addresses :
[EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED]
Sending mail to spambait addresses is a great way to get blocked.
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security
