On 21/10/05, Faheem Mitha <[EMAIL PROTECTED]> wrote: > > Dear People, > > I'm fairly new to apache administraction, so I apologise in advance if > this an obvious question. > > I am running Apache, which is running some CGI scripts, which allow a web > client (browser) to upload data, process it, and then return the process > results to the client in the form of clickable links which correspond to > the results. > > Let us assume for the purpose of this question that I have a CGI script > along with other web pages, located in /var/www/data, which needs to write > temporary files for the purpose described above.
Assuming it does. Unless you need to, don't, because it saves you a lot of potential security problems. > My question is as follows. What is a good place to locate these files, and > what permissions should be set on these files? > > It seems to be clear that allowing apache's user (namely www-data) write > permission to /var/www/data is a bad idea, because it would allow an > attacker who obtained the permissions of www-data free access to the web > pages there. More importantly it would let them write cgi scripts there.... > I'm now toying with the idea of putting them in say /var/www/data/tmp, > where tmp would be owned by www-data (both user and group www-data), and > nobody else would have write access. Actually, disabling read access might > be a good idea as well. > > What do people think of that? Any other suggestions/opinions? That's the least terrible idea, I think. Make sure you don't use any client-supplied information to generate the filename. -- Rasputin :: Jack of All Trades - Master of Nuns http://number9.hellooperator.net/
