Dear People,
I'm fairly new to apache administraction, so I apologise in advance if this an
obvious question.
I am running Apache on Debian Sarge. It is running some CGI scripts, which
allow a web client (browser) to upload data, process it, and then return
the process results to the client in the form of clickable links which
correspond to the results.
Let us assume for the purpose of this question that I have a CGI script along
with other web pages, located in /var/www/data, which needs to write temporary
files for the purpose described above.
My question is as follows. What is a good place to locate these files, and what
permissions should be set on these files?
It seems to be clear that allowing apache's user (namely www-data) write
permission to /var/www/data is a bad idea, because it would allow an attacker
who obtained the permissions of www-data free access to the web pages there.
However, it is less clear where these files should be put.
First I was thinking of putting them in /tmp, but I am not sure it is a good
idea for apache to be serving files from /tmp. Also, we require these files to
be preserved over quite long periods of time, and /tmp is cleared on every
reboot.
I'm now toying with the idea of putting them in say /var/www/data/tmp, where
tmp would be owned by www-data (both user and group www-data), and nobody else
would have write access. Actually, disabling read access might be a good idea
as well.
What do people think of that? Any other suggestions/opinions?
Thanks in advance. Please cc me on any reply.
Faheem.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]