Gottfried Szing wrote: >Am Son, 2002-09-22 um 22.05 schrieb Colin Watson: > > >>On Sun, Sep 22, 2002 at 09:54:14PM +0200, Gottfried Szing wrote: >> >> >>>and for setting default permissions you can also consult the umask >>>functionallity. but i think this is very dangerous to turn x on by >>>default. >>> >>> >>I can't think of a situation where it's dangerous to grant execute >>permission, unless the executable is set-id. If you can read the file >>then you can always copy it off somewhere else, set the execute bit >>yourself, and execute it. If it isn't set-id and allows you to do >>something bad, well, you could clearly have done that without the aid of >>the executable. >> >> > >ok, to utilize the umask, you have two possiblities: >1. setting the umask for the whole process (apache) >2. setting the umask per request > >ad 1. i think that this possibility can be ignored. because setting the >exe-permission for all files created (even logfiles) is not really >wanted. > >ad 2. this is much better? but why setting exe by default? setting the >permissions by hand via the chmod command or setting the umask is the >same effort: one function call. but the difference is chmod can be done >after(!) doing some checks. e.g. kind of shell to use, is it a binary or >a shell-script,... > >i explictly grant permissions on demand and after some checks. i dont >give everyone access to a specific resource. so for security reasons the >exe-permissions should used really carefully. its like a opt-in into my >"security realm". > >ok, its the decision of the webmaster/programmer to trust the uploaders. >but i would not use the umask and exe-by-default in thousands of years. > >cu > > > > > Ok, I am learning this umask util. I'm confused, if you set the umask, is that for any new file created on the linux system, or just the files in the paticular directory that the umask command was run in?
This isn't listed on the man page or in my book. Basically I just want to grant exe permission to the world ONLY on new files created in the USERS web directorys, just to save them the hassle of manually changing it, I DON'T want to give .exe status to any new file created on my linux box by default. -Debuser -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
