|
|
Posted by Lars Eighner on 07/03/07 11:17
In our last episode, <468a1a3c$0$3782$5402220f@news.sunrise.ch>, the lovely
and talented Bob Bedford broadcast on comp.lang.php:
> Hi all,
> I've a directory in wich I save pictures of items to sell. Those pictures
> are uploaded by users and I've a ftp program that need to resize some of
> them (too long to explain why).
> Since the owner is httpd and I connect to the ftp server using an other
> user, I can't modify them as they are protected (mode 0644) and I can't
> change any group rights.
> I can create a script (user httpd) that does change the mode to 0777 but
> since I understand NOTHING about rights, it this idea a bad idea ???
Exceedingly horrible.
> what do I risk ?
Essentially your server and all the data you have on it and your reputation
if your server is compromised in such a way as to produce an annoyance on
the internet.
> my ftp doesn't have any guest access !
If the httpd files are 644, anyone, even ftp running as nobody (i.e. the
least privileged user) can read them. Your program using ftp can read the
files, modify them, and write them to a place where it does have write
privileges. You shouldn't be serving raw uploads anyway. The problem is:
if you can write these files via anonymous ftp, so can anyone else.
Files should be sanitized, resized, and moved by the php that handles the
POST data.
> Thanks for helping.
> Also joker question: what does "execute" mode mean ?
It means it is allowable for the file to be executed as a program, and if
you do not see why this is a bad idea for uploaded files, you need to get
out of the computer business. For some servers (i.e. apache), the execute
bit is used to indicate that the file should be parsed for server-side
includes when it is being served. At the very best this is a waste of the
server's time if the file is an image which naturally should not contain any
server instructions. At worst, it would allow malicious server instructions
in an image file to be executed. Don't set the execute bit on any file that
should not contain SSIs.
--
Lars Eighner <http://larseighner.com/> <http://myspace.com/larseighner>
Countdown: 567 days to go.
Friends of Lizbeth: help replace failed a/c at Austin's no-kill shelter
<https://secure.groundspring.org/dn/index.php?aid=12349>
Navigation:
[Reply to this message]
|