icculus
asked on
Web Servers - Directory Permissions
I've got a bit of a dilemna... I am part of a website design
team for a new client, which wants us to setup a membership
system for them.
The membership system allows members to use an online
CGI-driven script to design their homepage. To do this I
setup a users directory where all member accounts will be
stored in, the users have ftponly access to the site. The
users directory and all member subdirectories are now group
owned by the web server group (www) with group write permissions so the CGI scripts can write to their directories.
However, now I find that users can ftp in, change directories to another users directory and also write
to those! Obviously not what I wanted.
Can anyone suggest a way to accomplish the following goals:
1) Allow the web server to write to all subdirectories of
the users directory via CGI.
2) Allow users to ftp into their accounts and have full
read/write access.
3) Prevent users from being able to write to other users
directories.
I would greatly appreciate your suggestions!
Thanks,
Andy
gmd@netmcr.com
team for a new client, which wants us to setup a membership
system for them.
The membership system allows members to use an online
CGI-driven script to design their homepage. To do this I
setup a users directory where all member accounts will be
stored in, the users have ftponly access to the site. The
users directory and all member subdirectories are now group
owned by the web server group (www) with group write permissions so the CGI scripts can write to their directories.
However, now I find that users can ftp in, change directories to another users directory and also write
to those! Obviously not what I wanted.
Can anyone suggest a way to accomplish the following goals:
1) Allow the web server to write to all subdirectories of
the users directory via CGI.
2) Allow users to ftp into their accounts and have full
read/write access.
3) Prevent users from being able to write to other users
directories.
I would greatly appreciate your suggestions!
Thanks,
Andy
gmd@netmcr.com
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well,, looks like I spoke a bit too soon...
It looks like the web server can write to files already
present in the directory, however it cannot create
new files...
How would I go about allowing the web server to create
new files in a user's directory?
Thanks much!
andy
It looks like the web server can write to files already
present in the directory, however it cannot create
new files...
How would I go about allowing the web server to create
new files in a user's directory?
Thanks much!
andy
Any scripts, process which want to write to that directory should
be in the group "www", by default, httpd deamon is own by
nobody.nobody. You'll have to change the group id in the
httpd.conf file to "www" and restart the server.
Regards,
n0thing
be in the group "www", by default, httpd deamon is own by
nobody.nobody. You'll have to change the group id in the
httpd.conf file to "www" and restart the server.
Regards,
n0thing
ASKER
The web server is already user www and group www, but
it doesn't belong to the wwuser group, which owns the
directory...
-Andy
it doesn't belong to the wwuser group, which owns the
directory...
-Andy
The user's directory should be joe:www and not joe:wwwuser. If
you set it to joe:wwwuser, then every other users will be able
to write to it and it will defeat the purpose of the SGID bit.
So that way, the owner will be able to write to it, the others
users can't since they belong to the wwwuser but not www. Any
CGI/process with the group ID of www could write to that
directory. Any further questions on the topic, send mail to me
directly minh@qc.bell.ca.
Regards,
Minh Lai
you set it to joe:wwwuser, then every other users will be able
to write to it and it will defeat the purpose of the SGID bit.
So that way, the owner will be able to write to it, the others
users can't since they belong to the wwwuser but not www. Any
CGI/process with the group ID of www could write to that
directory. Any further questions on the topic, send mail to me
directly minh@qc.bell.ca.
Regards,
Minh Lai
ASKER
system to implement your solution, my tests show it works
exactly as you proposed.
Thank you so much!
Andy