[suse-security] Virtual virtual users don't have access to files uploaded from the web

[g.lams@xxxxxxxxxx]

Hi All,

On one of my SuSe 9.0 Box, I've a distance learning platform based on php 
and MySQL.
The web designers have ftp access to its folder (unfortunately they never 
use ssh) and I gave them access creating virtual users (I'm using 
proftpd).

The permissions on this folder are the following (1001 and 1001 are my 
respective virtual user and virtual proftp group):
drwxrwxr-x    6 1001     1001         4096 Jul 14 19:43 platform

This platform allows the upload of files from the web. The problem is that 
when a file is uploaded, it takes the permissions of the apache owner, 
like the following:
drwxrwxrwx    2 1001     1001         4096 Jul 15 14:30 .
drwxrwxrwx    3 1001     1001         4096 Jul 12 19:16 ..
-rw-r--r--    1 wwwrun   www         19456 Jul 15 14:29 prova.doc

Which means that my ftp users are not able to work on those files. Also, 
to allow the upload of files, for the time being I gave write access to 
"the world" for this upload folder

Any advice or security best practice regarding this problem would be 
appreciated

Have a nice day

Gael

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here