Ben-Nes Michael wrote:
>
> So what shell a web master should do if he want people to upload images
> to directory ?
> As i know he must give the a+w to the file.
> is there other way ?
[older stuff snipped]
One of two ways:
1. Use file-upload through HTTP (Netscape's method,
but already a standard), then SAFELY move it to
a storage place. Do _NOT_ do anything as stupid as
system("mv $filename /blah/blah") (if using Perl, for
example).
2. Allow them to upload the file through an anonymous FTP
directory (also do-able through a web interface, not too
much fuss) and you get to have the ftpd handle the security.
Unfurtunately, there have been tons of holes reported with
various implementations of anonymous ftp (in WuFTPD, as well
as ProFTPD - even the stock wuftpd that comes with rh6.1 is
vulenrable to a root(!) exploit, even though you are supposedly
chroot'ed - unfurtunately it's trivial to code a module that
bypasses chroot and have wuftpd load it :)
Make sure that files uploaded are not readable by anonymous
users (perhaps not by anyone else either). Like this:
upload /home/ftp /incoming yes [user] [group] 0000 nodirs
--
"You will now die. Make whatever rituals are necessary for your species."
- Ur-Quan, Kohr-Ah
S/MIME Cryptographic Signature
