[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Virtual virtual users don't have access to files uploaded from the web
On one of my SuSe 9.0 Box, I've a distance learning platform based on php
The web designers have ftp access to its folder (unfortunately they never
use ssh) and I gave them access creating virtual users (I'm using
The permissions on this folder are the following (1001 and 1001 are my
respective virtual user and virtual proftp group):
drwxrwxr-x 6 1001 1001 4096 Jul 14 19:43 platform
This platform allows the upload of files from the web. The problem is that
when a file is uploaded, it takes the permissions of the apache owner,
like the following:
drwxrwxrwx 2 1001 1001 4096 Jul 15 14:30 .
drwxrwxrwx 3 1001 1001 4096 Jul 12 19:16 ..
-rw-r--r-- 1 wwwrun www 19456 Jul 15 14:29 prova.doc
Which means that my ftp users are not able to work on those files. Also,
to allow the upload of files, for the time being I gave write access to
"the world" for this upload folder
Any advice or security best practice regarding this problem would be
Have a nice day
Your problem is not, that the directory is not acesible from the users,
but the files created by the real ftp-users. Proftpd is a littlebit
difficult to configure, but maybe there is an option for filecreation.
If there is no option run a cron-script on your upload-dir that sets
correct filerights (e.g. every hour).
I personally use vsftpd. There is an option for adding virtual users and
for filecreation (chown/chmod) to say for which user/group and rights
uploads will be set, pure-ftpd you will be able to add virtual users and
set upload-rights as well.
In the manpages/howto's (/usr/share/doc/packages/_PACKAGENAME_) there
are many examples how to configure these ftp-servers. Here you will find
examples for proftpd, too.
I hope this helps.
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here