[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ruby-talk
Subject:    Re: writable
From:       Martin Stannard <martins () aardvark ! net ! au>
Date:       2004-05-18 13:36:38
Message-ID: 1084887383.14209.10.camel () beyond
[Download RAW message or body]

Hi,

On Tue, 2004-05-18 at 16:18, paul vudmaska wrote:
> Thanks to the help of a kind rubyist i'm able to write a script for
> creating directories - some of them writable by the web server for
> uploading files.
> 
> This permission works 0757  which amounts to
> drwxr-xrwx 
> 
> All privs for owner and other but not write for group.
> 
> Owner  	                Group  	                Other
> r 	w 	x 	r 	w 	x 	r 	w 	x
> 4 	2 	1 	4 	2 	1 	4 	2 	1
> 
> 7                        5                       7
> 
> I would have thot 0775 would have been better(not writable by other),
> but that did not fly. What permission octet do the gurus recommend for
> writable directories?
> 
> Seems to me, group should be the correct permission for the server.
> Does'nt other mean the whole world and will allow them to put baddies
> in there?
> 
> Thanks a bunch guys and gals,
> :P
> 
> ps: for those who've not checked
> http://phrogz.net/ProgrammingRuby/frameset.html
> it's a great, dynamic online version of pickaxe - thanks to gavin.

The method I've used is to have a file upload directory with permission
755 and owned by the webserver user, in my case:
chown apache:apache directory_name

This allows the server process to write any uploaded files to the
directory using this code:
 
    local_file = @cgi['url'].local_path
    original_filename = @cgi['url'].original_filename
    path = "../tutorials/gfx/" + original_filename
    FileUtils.cp(local_file.untaint, path.untaint)

Actually I just tried it with 744 and that works too.

Anyone else see any security problems with that?

regards,

Martin
 



[prev in list] [next in list] [prev in thread] [next in thread]