[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Virtual virtual users don't have access to files uploaded from the web

To: "suse-security@xxxxxxxx" <suse-security@xxxxxxxx>
Subject: Re: [suse-security] Virtual virtual users don't have access to files uploaded from the web
From: Philippe Vogel <filiaap@xxxxxxxxxx>
Date: Fri, 16 Jul 2004 12:41:41 +0200
Delivered-to: mailing list suse-security@xxxxxxxx
In-reply-to: <OFC071E7E5.61EEF8BD-ONC1256ED3.002F9B98-C1256ED3.0030B28A@xxxxxxxxxx>
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm
References: <OFC071E7E5.61EEF8BD-ONC1256ED3.002F9B98-C1256ED3.0030B28A@xxxxxxxxxx>
User-agent: Mozilla Thunderbird 0.7.2 (Windows/20040707)

g.lams@xxxxxxxxxx wrote:

Hi All,
On one of my SuSe 9.0 Box, I've a distance learning platform based on phpand MySQL.The web designers have ftp access to its folder (unfortunately they neveruse ssh) and I gave them access creating virtual users (I'm usingproftpd).
The permissions on this folder are the following (1001 and 1001 are myrespective virtual user and virtual proftp group):
drwxrwxr-x    6 1001     1001         4096 Jul 14 19:43 platform
This platform allows the upload of files from the web. The problem is thatwhen a file is uploaded, it takes the permissions of the apache owner,like the following:
drwxrwxrwx    2 1001     1001         4096 Jul 15 14:30 .
drwxrwxrwx    3 1001     1001         4096 Jul 12 19:16 ..
-rw-r--r--    1 wwwrun   www         19456 Jul 15 14:29 prova.doc
Which means that my ftp users are not able to work on those files. Also,to allow the upload of files, for the time being I gave write access to"the world" for this upload folder
Any advice or security best practice regarding this problem would beappreciated
Have a nice day

Gael

Hi!

Your problem is not, that the directory is not acesible from the users,but the files created by the real ftp-users. Proftpd is a littlebitdifficult to configure, but maybe there is an option for filecreation.If there is no option run a cron-script on your upload-dir that setscorrect filerights (e.g. every hour).

I personally use vsftpd. There is an option for adding virtual users andfor filecreation (chown/chmod) to say for which user/group and rightsuploads will be set, pure-ftpd you will be able to add virtual users andset upload-rights as well.

In the manpages/howto's (/usr/share/doc/packages/_PACKAGENAME_) thereare many examples how to configure these ftp-servers. Here you will findexamples for proftpd, too.


I hope this helps.

Philippe

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

References:
- [suse-security] Virtual virtual users don't have access to files uploaded from the web
  - From: g . lams

Prev by Date: [suse-security] Virtual virtual users don't have access to files uploaded from the web
Next by Date: Re: [suse-security] Virtual virtual users don't have access to files uploaded from the web
Previous by thread: [suse-security] Virtual virtual users don't have access to files uploaded from the web
Next by thread: Re: [suse-security] Virtual virtual users don't have access to files uploaded from the web
Index(es):
- Date
- Thread