Re: Question on File Permissions
Well, basically what I learned today, is that web file permissions are usually handled by the FTP client, which I am finding out is a problem with certain FTP utils like Dreamweaver for instance, because for some reason you have to download the Exchange Utilties which cost more $$ to get the feature of setting default UPLOAD permissions, while several other FTP utils have this feature built in. I am a little pissed, that Dreamweaver would have people scrating their heads on this one, with no info in the help, or on there web site. In their forums, several people have had the same trouble and it takes a user, not Macromedia to tell them the answer is to spend more dollars on Dreamweaver extensions. Shouldn't this feature just be built in to any Web writing software? Oh well, thanks for all your help with this one. -Debuser -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question on File Permissions
In article <[EMAIL PROTECTED]>, Debian User <[EMAIL PROTECTED]> wrote: >Question, is there any way to set a default file permission on a certain >user folder inside the /var/www/ folder. > >I want to setup accounts for users to upload web files, but the problem >is that whenever I upload files, the files always default to read only >and I have to run the chmod command each time, instead of them just >defaulting to read and exe access for all. How do you upload those files? You'll have to change a setting in the program that handles that on the server side. If its FTP, find out which ftp server you're running. If it's proftpd, fix it in /etc/proftpd.conf (docs on www.proftpd.net). Etc. Mike. -- Computers are useless, they only give answers. --Pablo Picasso -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question on File Permissions
Am Son, 2002-09-22 um 22.36 schrieb Colin Watson: > > i explictly grant permissions on demand and after some checks. i dont > > give everyone access to a specific resource. so for security reasons the > > exe-permissions should used really carefully. its like a opt-in into my > > "security realm". > > As I said above, the execute bit provides no real security except in the > case of set-id executables. No trust needs to be involved, since anybody > who can read the file can arrange to execute it anyway. > > If you're concerned about setting the executable bit because you have > programs that randomly go around actually executing untrusted code, of > course, then they're buggy and should be fixed ... of course. but i believe that here the same as for i.e. databases applies: i grant permissions explictly and by default every file is just readable. not execute permissions. setting the execute permissions by default can makes it maybe easier to find a backdoor. so this i just a security concern and this i not a fact. i think, setting exe-perms should be done after some simple checks. cu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question on File Permissions
Am Son, 2002-09-22 um 22.36 schrieb Debian User: > Ok, I am learning this umask util. I'm confused, if you set the umask, > is that for any new file created on the linux system, or just the files > in the paticular directory that the umask command was run in? > > This isn't listed on the man page or in my book. ok, here are two hints: from the bash-help: == umask: umask [-S] [mode] The user file-creation mask is set to MODE. If MODE is omitted, or if -S' is supplied, the current value of the mask is printed. The `-S' option makes the output symbolic; otherwise an octal number is output. If MODE begins with a digit, it is interpreted as an octal number, otherwise it is a symbolic mode string like that accepted by chmod(1). == or better description (user comments!): http://www.php.net/manual/en/function.umask.php the umask just applies to newly created files or directories. > Basically I just want to grant exe permission to the world ONLY on new > files created in the USERS web directorys, just to save them the hassle > of manually changing it, I DON'T want to give .exe status to any new > file created on my linux box by default. as described above only the fopen, mkdir,... calls AFTER the umask are influenced. and it depends on the server side language you are using, if you have to reset the umask before the end of the script. and: i am not sure if the umask works for uploads. because i.e. php creates a tmp-file. but this happens before the php-code is reached. so setting the umask is only working if you copy the files by hand. but i think for a better help you should consult a mailinglist/news group which discusses problems for the specific language. cu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question on File Permissions
On Sun, Sep 22, 2002 at 01:36:17PM -0700, Debian User wrote: > Ok, I am learning this umask util. I'm confused, if you set the umask, > is that for any new file created on the linux system, or just the files > in the paticular directory that the umask command was run in? umask affects only the current processes and any of its child processes. In general, there is no way to set default permissions for files created in a particular directory. -- Colin Watson [[EMAIL PROTECTED]] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question on File Permissions
Gottfried Szing wrote: >Am Son, 2002-09-22 um 22.05 schrieb Colin Watson: > > >>On Sun, Sep 22, 2002 at 09:54:14PM +0200, Gottfried Szing wrote: >> >> >>>and for setting default permissions you can also consult the umask >>>functionallity. but i think this is very dangerous to turn x on by >>>default. >>> >>> >>I can't think of a situation where it's dangerous to grant execute >>permission, unless the executable is set-id. If you can read the file >>then you can always copy it off somewhere else, set the execute bit >>yourself, and execute it. If it isn't set-id and allows you to do >>something bad, well, you could clearly have done that without the aid of >>the executable. >> >> > >ok, to utilize the umask, you have two possiblities: >1. setting the umask for the whole process (apache) >2. setting the umask per request > >ad 1. i think that this possibility can be ignored. because setting the >exe-permission for all files created (even logfiles) is not really >wanted. > >ad 2. this is much better? but why setting exe by default? setting the >permissions by hand via the chmod command or setting the umask is the >same effort: one function call. but the difference is chmod can be done >after(!) doing some checks. e.g. kind of shell to use, is it a binary or >a shell-script,... > >i explictly grant permissions on demand and after some checks. i dont >give everyone access to a specific resource. so for security reasons the >exe-permissions should used really carefully. its like a opt-in into my >"security realm". > >ok, its the decision of the webmaster/programmer to trust the uploaders. >but i would not use the umask and exe-by-default in thousands of years. > >cu > > > > > Ok, I am learning this umask util. I'm confused, if you set the umask, is that for any new file created on the linux system, or just the files in the paticular directory that the umask command was run in? This isn't listed on the man page or in my book. Basically I just want to grant exe permission to the world ONLY on new files created in the USERS web directorys, just to save them the hassle of manually changing it, I DON'T want to give .exe status to any new file created on my linux box by default. -Debuser -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question on File Permissions
On Sun, Sep 22, 2002 at 10:26:42PM +0200, Gottfried Szing wrote: > Am Son, 2002-09-22 um 22.05 schrieb Colin Watson: > > I can't think of a situation where it's dangerous to grant execute > > permission, unless the executable is set-id. If you can read the file > > then you can always copy it off somewhere else, set the execute bit > > yourself, and execute it. If it isn't set-id and allows you to do > > something bad, well, you could clearly have done that without the aid of > > the executable. > > ok, to utilize the umask, you have two possiblities: > 1. setting the umask for the whole process (apache) > 2. setting the umask per request > > ad 1. i think that this possibility can be ignored. because setting the > exe-permission for all files created (even logfiles) is not really > wanted. Sure, it's often unnecessary, and something finer-grained would be desirable. But you said it was dangerous, and that's what I picked up on. Why? > i explictly grant permissions on demand and after some checks. i dont > give everyone access to a specific resource. so for security reasons the > exe-permissions should used really carefully. its like a opt-in into my > "security realm". As I said above, the execute bit provides no real security except in the case of set-id executables. No trust needs to be involved, since anybody who can read the file can arrange to execute it anyway. If you're concerned about setting the executable bit because you have programs that randomly go around actually executing untrusted code, of course, then they're buggy and should be fixed ... Cheers, -- Colin Watson [[EMAIL PROTECTED]] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question on File Permissions
Am Son, 2002-09-22 um 22.05 schrieb Colin Watson: > On Sun, Sep 22, 2002 at 09:54:14PM +0200, Gottfried Szing wrote: > > and for setting default permissions you can also consult the umask > > functionallity. but i think this is very dangerous to turn x on by > > default. > > I can't think of a situation where it's dangerous to grant execute > permission, unless the executable is set-id. If you can read the file > then you can always copy it off somewhere else, set the execute bit > yourself, and execute it. If it isn't set-id and allows you to do > something bad, well, you could clearly have done that without the aid of > the executable. ok, to utilize the umask, you have two possiblities: 1. setting the umask for the whole process (apache) 2. setting the umask per request ad 1. i think that this possibility can be ignored. because setting the exe-permission for all files created (even logfiles) is not really wanted. ad 2. this is much better? but why setting exe by default? setting the permissions by hand via the chmod command or setting the umask is the same effort: one function call. but the difference is chmod can be done after(!) doing some checks. e.g. kind of shell to use, is it a binary or a shell-script,... i explictly grant permissions on demand and after some checks. i dont give everyone access to a specific resource. so for security reasons the exe-permissions should used really carefully. its like a opt-in into my "security realm". ok, its the decision of the webmaster/programmer to trust the uploaders. but i would not use the umask and exe-by-default in thousands of years. cu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question on File Permissions
On Sun, Sep 22, 2002 at 09:54:14PM +0200, Gottfried Szing wrote: > and for setting default permissions you can also consult the umask > functionallity. but i think this is very dangerous to turn x on by > default. I can't think of a situation where it's dangerous to grant execute permission, unless the executable is set-id. If you can read the file then you can always copy it off somewhere else, set the execute bit yourself, and execute it. If it isn't set-id and allows you to do something bad, well, you could clearly have done that without the aid of the executable. -- Colin Watson [[EMAIL PROTECTED]] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question on File Permissions
Am Son, 2002-09-22 um 21.34 schrieb Debian User: > I set up a Web Server here on my Debian Box. > > Question, is there any way to set a default file permission on a certain > user folder inside the /var/www/ folder. > > I want to setup accounts for users to upload web files, but the problem > is that whenever I upload files, the files always default to read only > and I have to run the chmod command each time, instead of them just > defaulting to read and exe access for all. > > Is there any way to set this. how is the upload done? via ftp oder http-fileupload. if it is done via ftp, many ftp-servers allow to set default-permissions for files stored in an "upload"-directory. and for setting default permissions you can also consult the umask functionallity. but i think this is very dangerous to turn x on by default. cu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
