Apache alias and 777 directory security
I hope this is alright to ask here... here goes:
I've put a directory outside of the web root, to hold images and docs that users upload via a CMS. The directory needs 777 permissions on it. I created an Apache Alias to it. I hope this next makes sense: does the alias name effectively have the 777 permissions, because the place it points to does? In other words say my alias is "userfiles", does the www.someplace.com/userfiles address still put a 777 folder out there. Hope I explained OK. I'm new with Linux and Apache. Cheers. |
Quote:
Yes, when you set the directory to 777 and point an alias at it, you are opening it up to anybody to read, write, and execute on that directory. What is to stop them from uploading a file and then executing it? There is a reason why one normally keeps the web files owned by a user such as root and makes the Apache 'user' a false account. You haven't stated what your objectives and goals are, but I think you would be much better served to create a "group" and give the appropriate group and / or users read, write access to your folder instead of giving 'others' complete control. |
red hat 5 right
is that 777 REALLY 777 so the default SELinux is OFF and NOT set to enforcing . have you read the apache docs? http://httpd.apache.org/docs/2.2/ WHAT is your CMS ? There should be settings in IT for a upload folder Have you READ your CMS's docs ?( what ever it it ) and why do you need it outside of /www ( or your "webroot" ) How have you set it ( that folder) up in the httpd ???????? what type of security is set for that directory ( using the password list) ??? or what ???? --set in httpd |
Quote:
Tried going through the docs but find them hard to make out. As I said I'm new to this and no Linux/Apache expert by a long chalk. Web designer by trade. CMS is bespoke, and the purpose of this folder is to hold images and other files uploaded by the CMS users, via TinyMCE. Goal is to do this securely somehow. Previous website here was compromised apparently by having a public folder public with 777. Small company, no server admin people etc, just me. Tried other permissions but it seems to fail with anything other than 777. Quote:
|
Quote:
http://httpd.apache.org/docs/2.2/ also there is a VERY good book - buy it o'reily "Apache the definitive guide" , or a similar one i am not sure of " bespoke" cms - i used "geeklog" but a book on PHP is also advised think of it this way the web site is the collage class FINAL EXAM( and only grade) and you MUST and i do mean MUST get a 4.0 on it ( if you do not you do not graduate !) so study and do some more studying |
Thanks, I'll grab the book and gen up, and also talk to them upstairs about getting a contractor in to make sure it's all right and proper.
|
All times are GMT -5. The time now is 07:00 AM. |