g.lams@xxxxxxxxxx wrote:
The permissions on this folder are the following (1001 and 1001 are my respective virtual user and virtual proftp group):drwxrwxr-x 6 1001 1001 4096 Jul 14 19:43 platformThis platform allows the upload of files from the web. The problem is that when a file is uploaded, it takes the permissions of the apache owner, like the following:drwxrwxrwx 2 1001 1001 4096 Jul 15 14:30 . drwxrwxrwx 3 1001 1001 4096 Jul 12 19:16 .. -rw-r--r-- 1 wwwrun www 19456 Jul 15 14:29 prova.doc
You can set the SGID bit on your directory with "chmod g+s platform". This way, all files created inside will be owned by group 1001. Then you need to change your upload script to set 664 permissions on uploaded files. Then you will get
-rw-rw-r-- 1 wwwrun 1001 19456 Jul 15 14:29 prova.docThis means your users can immediately work with the files and don't need to wait for a cron job. A cron job that chowns _everything_ in that directory could also be a security risk (exploitable via hardlinks).
But why do you upload files via the _web_ interface if your users already have ftp access? If they uploaded their stuff via ftp then the permissions were no problem. Or did I miss something?
nordi -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@xxxxxxxx Security-related bug reports go to security@xxxxxxx, not here