[nzlug] File permission dummy questions
Peter Butler
peter.butler at 141.com
Fri Aug 11 16:50:50 NZST 2006
>> Only downside with this is that when your webserver gets compromised,
>> the attacker can edit or delete anything owned by the user the
>> webserver is running as.
>>
> Good point. Each webapp I install tends to have one or two directories that
> need to be writable by the www-data user, so I tend to be lazy.
>
This is something I've been wondering about recently. I set file
permissions like this for all web-accessible files to something like
this for CGI scripts:
-rwxr-xr-x 1 root root 4315 Aug 9 18:17 example.cgi
And like this for non-executable files (e.g. libraries, HTML and PHP):
-rw-r--r-- 1 root root 18110 Aug 9 14:55 somelib.py
But for webapps that need write access to the filesystem (e.g. for users
to upload images), I use this for directories:
drwxr--r-- 126 www-data www-data 4096 Aug 9 14:55 user_images
And this for files:
-rw-r--r-- 1 www-data www-data 38454 Aug 9 20:10 uploaded_file.jpg
Where www-data is the user which runs the web server. Is this a smart
way to do things? How can I make this more secure? Is there any way I
can get the web server to write files that are owned by root but able to
be deleted, updated, etc by the web server? (Sorry for the basic nature
of these questions but the topic is "dummy questions").
Cheers
Peter
>
>
> Craig
>
>
> _______________________________________________
> NZLUG mailing list NZLUG at linux.net.nz
> http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
>
>
>
More information about the NZLUG
mailing list