[H-GEN] giving apache write permissions on a directory
Jason Parker-Burlingham
jasonp at uq.net.au
Wed May 14 00:15:17 EDT 2003
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
"Greg Fairbrother" <greg at greg.hm> writes:
> I know this is because the web server (apache) does not have permission to
> write to the directory "../images/uploads/"
>
> I could just change the permissions on the directory but that seems very
> dangerous to me... how can I give apache permission to write to the folder
> without compromising security?
You *may* be able to set the write permission bit and leave off the
execute permission bit on the directory (much like the traditional FTP
upload directory permission structure[1]). That way apache can write
a file to the directory and read a file *if it knows the name*.
You'll also want to make sure the file name apache comes up with when
writing the file to the upload directory doesn't contain any bad
characters such as periods, slashes, colons, etc. In fact it may be
easier to ensure the file name contains only a known set of
characters---perhaps you could just md5sum the data and use the result
as the file name, thereby making the filename almost unpredictable.
Combined with limits on the size of uploaded data---you're limiting
the size of the uploaded data, aren't you?---that *could* be enough.
It's hard to be sure.
jason
[1] : I tested this locally and it appears to work tolerably well but
I didn't do so exhaustively. I'm sure someone will correct me
if I'm misremembering.
--
``Oooh! A gingerbread house! Hansel and Gretel are set for life!''
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'. See http://www.humbug.org.au/
More information about the General
mailing list