Thank for your answer (also thnaks to Philip and Pep) I started with the following permissions: -rw-r--r-- 1 wwwrun www 188416 Jul 16 15:08 apachetomcathowto.doc The idea of the setgid solves my problem, because files were now created like this: -rw-r--r-- 1 wwwrun 1001 188416 Jul 16 15:08 apachetomcathowto.doc I then change the umask of the wwwrun user, making the files created writable by the group, finishing with permissions like: -rw-rw-r-- 1 wwwrun 1001 188416 Jul 16 15:08 apachetomcathowto.doc This wat my FTP users can also delete or modify the files uploaded via web To answare your question Nordi, my FTp users are not the same as my web users. It's a distance learning platform. My web users are the participants and the tutors and have only web access. My FTP users are the web designers and developers of the platform. Have a nice day, Gael nordi <nordi@addcom.de> wrote on 16/07/2004 14.29.05:
g.lams@itcilo.org wrote:
The permissions on this folder are the following (1001 and 1001 are my
respective virtual user and virtual proftp group): drwxrwxr-x 6 1001 1001 4096 Jul 14 19:43 platform
This platform allows the upload of files from the web. The problem is that when a file is uploaded, it takes the permissions of the apache owner,
like the following: drwxrwxrwx 2 1001 1001 4096 Jul 15 14:30 . drwxrwxrwx 3 1001 1001 4096 Jul 12 19:16 .. -rw-r--r-- 1 wwwrun www 19456 Jul 15 14:29 prova.doc
You can set the SGID bit on your directory with "chmod g+s platform". This way, all files created inside will be owned by group 1001. Then you
need to change your upload script to set 664 permissions on uploaded files. Then you will get
-rw-rw-r-- 1 wwwrun 1001 19456 Jul 15 14:29 prova.doc
This means your users can immediately work with the files and don't need
to wait for a cron job. A cron job that chowns _everything_ in that directory could also be a security risk (exploitable via hardlinks).
But why do you upload files via the _web_ interface if your users already have ftp access? If they uploaded their stuff via ftp then the permissions were no problem. Or did I miss something?
nordi
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here