On Dec 12, 9:07 am, garagefan <monkeygar...@gmail.com> wrote:
> which would actually result in keeping my server more secure... i
> would assume leaving other with rwx would be paramount to keeping my
> front door wide open?
The risk is more from users who have shell accounts on the same
system, or have web applications running as different user. Those
users would be able to modify stuff in that directory even though they
aren't owner.
It doesn't change the risk in respect of other web application code
running under mod_python or PHP which also runs as Apache user. Such
code because runs as Apache user would be able to write to the
directory even if owned by Apache user and not o+rwx.
> I'll look into mod_wsgi... but i can't imagine that every person
> running mod_python and working with file uploads hasn't had to combat
> this little issue.
Based on posts one sees, a lot of people just make it o+rwx and leave
it at that.
> is there really a safety concern?
If you are fully in control of the system and no other users on it, it
is not good, but not disastrous.
> or is there another way around this?
Make the user owned by Apache user instead and don't have o+rwx.
I am biased, but arguable that mod_wsgi is a better overall choice
these days than mod_python anyway and with mod_python fading away to a
degree, better long term choice.
Graham
> On Dec 11, 4:59 pm, Graham Dumpleton <graham.dumple...@gmail.com>
> wrote:
>
> > On Dec 12, 8:52 am, garagefan <monkeygar...@gmail.com> wrote:
>
> > > this is my first time working this closely to the server for a live
> > > environment :)
>
> > > "apache" appears as owner of the file once uploaded. is there a way to
> > > set the default on this to be another user?
>
> > Only by using Apache/mod_wsgi (not mod_python) and specifically using
> > mod_wsgi daemon mode, with a distinct user defined for the daemon
> > process and thus your Django application to run as.
>
> > Graham
>
> > > On Dec 11, 4:45 pm, Graham Dumpleton <graham.dumple...@gmail.com>
> > > wrote:
>
> > > > On Dec 12, 8:32 am, garagefan <monkeygar...@gmail.com> wrote:
>
> > > > > I figured out my issue with the "access denied, suspicious operation"
> > > > > bull...
>
> > > > > apparently the only way the admin side of my site can upload an image
> > > > > to a directory is by having "other" set to have full rwx set... ie
> > > > > chmod **7 I'm not so sure this is a good thing to keep set as that
> > > > > would give everyone, logged in or other, access to overwriting data,
> > > > > adding stuff, etc... right?
>
> > > > Who owns the files once uploaded?
>
> > > > Whoever that is should be the owner of the directory. Sounds like you
> > > > are running under Apache and don't understand that your code runs as
> > > > the Apache user.
>
> > > > Graham
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
