|
|
Posted by Jerry Stuckle on 12/30/05 17:19
jab3 wrote:
>
>
> Yeah, similar to what Balazs said, I actually have done this by running
> a program I wrote in C as setuid root, but I consider that dangerous.
> I made the program very compact, dealing with untainted data, but
> still. Guess that's the way to go for that though.
>
Yes, that's one way to do things.
> Yep, that's my problem. :) I keep wondering how these other sites do
> it (like these online photo sites, e.g. SnapFish, that give you an
> account and let you upload images for others to see). I've considered
> making it all managed from an SQL database and putting the files in a
> PHP-accessible directory with SQL-generated ids as subdirectory names
> for each user's folder and bypassing Linux permissions. But that seems
> less secure.
>
Why not just keep everything owned by the Apache process? Protect
access to the files through a download script, .htaccess, or some
similar way.
Even if you do change the ownership of the files you won't be more or
less secure. They'll all be access via the Apache uid anyway.
>
> I suppose I could have cron jobs that run x times an hour to move stuff
> around. I'll have to look some more into suexec. And don't worry,
> giving Apache root access has not occurred to me. :)
>
One of the worst ways to do things.
>
> Thanks for help,
> jab3
>
As I said - I just keep everything owned by Apache. Membership is
managed through a MySQL database or .htaccess.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|