[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Virtual virtual users don't have access to files uploaded from the web
The permissions on this folder are the following (1001 and 1001 are my
respective virtual user and virtual proftp group):
drwxrwxr-x 6 1001 1001 4096 Jul 14 19:43 platform
This platform allows the upload of files from the web. The problem is that
when a file is uploaded, it takes the permissions of the apache owner,
like the following:
drwxrwxrwx 2 1001 1001 4096 Jul 15 14:30 .
drwxrwxrwx 3 1001 1001 4096 Jul 12 19:16 ..
-rw-r--r-- 1 wwwrun www 19456 Jul 15 14:29 prova.doc
You can set the SGID bit on your directory with "chmod g+s platform".
This way, all files created inside will be owned by group 1001. Then you
need to change your upload script to set 664 permissions on uploaded
files. Then you will get
-rw-rw-r-- 1 wwwrun 1001 19456 Jul 15 14:29 prova.doc
This means your users can immediately work with the files and don't need
to wait for a cron job. A cron job that chowns _everything_ in that
directory could also be a security risk (exploitable via hardlinks).
But why do you upload files via the _web_ interface if your users
already have ftp access? If they uploaded their stuff via ftp then the
permissions were no problem. Or did I miss something?
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here