Re: creating and serving temporary files with apache
On 21/10/05, Faheem Mitha <faheem@email.unc.edu> wrote:
>
> Dear People,
>
> I'm fairly new to apache administraction, so I apologise in advance if
> this an obvious question.
>
> I am running Apache, which is running some CGI scripts, which allow a web
> client (browser) to upload data, process it, and then return the process
> results to the client in the form of clickable links which correspond to
> the results.
>
> Let us assume for the purpose of this question that I have a CGI script
> along with other web pages, located in /var/www/data, which needs to write
> temporary files for the purpose described above.
Assuming it does. Unless you need to, don't, because it saves you a
lot of potential security problems.
> My question is as follows. What is a good place to locate these files, and
> what permissions should be set on these files?
>
> It seems to be clear that allowing apache's user (namely www-data) write
> permission to /var/www/data is a bad idea, because it would allow an
> attacker who obtained the permissions of www-data free access to the web
> pages there.
More importantly it would let them write cgi scripts there....
> I'm now toying with the idea of putting them in say /var/www/data/tmp,
> where tmp would be owned by www-data (both user and group www-data), and
> nobody else would have write access. Actually, disabling read access might
> be a good idea as well.
>
> What do people think of that? Any other suggestions/opinions?
That's the least terrible idea, I think.
Make sure you don't use any client-supplied information to generate
the filename.
--
Rasputin :: Jack of All Trades - Master of Nuns
http://number9.hellooperator.net/
Reply to: