writable

Discussion in 'Ruby' started by paul vudmaska, May 18, 2004.

  1. Thanks to the help of a kind rubyist i'm able to write a script for
    creating directories - some of them writable by the web server for
    uploading files.

    This permission works 0757 which amounts to
    drwxr-xrwx

    All privs for owner and other but not write for group.

    Owner Group Other
    r w x r w x r w x
    4 2 1 4 2 1 4 2 1

    7 5 7

    I would have thot 0775 would have been better(not writable by other),
    but that did not fly. What permission octet do the gurus recommend for
    writable directories?

    Seems to me, group should be the correct permission for the server.
    Does'nt other mean the whole world and will allow them to put baddies
    in there?

    Thanks a bunch guys and gals,
    :p

    ps: for those who've not checked
    http://phrogz.net/ProgrammingRuby/frameset.html
    it's a great, dynamic online version of pickaxe - thanks to gavin.
     
    paul vudmaska, May 18, 2004
    #1
    1. Advertising

  2. Hi,

    On Tue, 2004-05-18 at 16:18, paul vudmaska wrote:
    > Thanks to the help of a kind rubyist i'm able to write a script for
    > creating directories - some of them writable by the web server for
    > uploading files.
    >
    > This permission works 0757 which amounts to
    > drwxr-xrwx
    >
    > All privs for owner and other but not write for group.
    >
    > Owner Group Other
    > r w x r w x r w x
    > 4 2 1 4 2 1 4 2 1
    >
    > 7 5 7
    >
    > I would have thot 0775 would have been better(not writable by other),
    > but that did not fly. What permission octet do the gurus recommend for
    > writable directories?
    >
    > Seems to me, group should be the correct permission for the server.
    > Does'nt other mean the whole world and will allow them to put baddies
    > in there?
    >
    > Thanks a bunch guys and gals,
    > :p
    >
    > ps: for those who've not checked
    > http://phrogz.net/ProgrammingRuby/frameset.html
    > it's a great, dynamic online version of pickaxe - thanks to gavin.


    The method I've used is to have a file upload directory with permission
    755 and owned by the webserver user, in my case:
    chown apache:apache directory_name

    This allows the server process to write any uploaded files to the
    directory using this code:

    local_file = @cgi['url'].local_path
    original_filename = @cgi['url'].original_filename
    path = "../tutorials/gfx/" + original_filename
    FileUtils.cp(local_file.untaint, path.untaint)

    Actually I just tried it with 744 and that works too.

    Anyone else see any security problems with that?

    regards,

    Martin
     
    Martin Stannard, May 18, 2004
    #2
    1. Advertising

  3. Martin Stannard <> wrote in message news:<1084887383.14209.10.camel@beyond>...
    > Hi,
    >
    > On Tue, 2004-05-18 at 16:18, paul vudmaska wrote:
    > > Thanks to the help of a kind rubyist i'm able to write a script for
    > > creating directories - some of them writable by the web server for
    > > uploading files.
    > >
    > > This permission works 0757 which amounts to
    > > drwxr-xrwx
    > >
    > > All privs for owner and other but not write for group.
    > >
    > > Owner Group Other
    > > r w x r w x r w x
    > > 4 2 1 4 2 1 4 2 1
    > >
    > > 7 5 7
    > >
    > > I would have thot 0775 would have been better(not writable by other),
    > > but that did not fly. What permission octet do the gurus recommend for
    > > writable directories?
    > >
    > > Seems to me, group should be the correct permission for the server.
    > > Does'nt other mean the whole world and will allow them to put baddies
    > > in there?
    > >
    > > Thanks a bunch guys and gals,
    > > :p
    > >
    > > ps: for those who've not checked
    > > http://phrogz.net/ProgrammingRuby/frameset.html
    > > it's a great, dynamic online version of pickaxe - thanks to gavin.

    >
    > The method I've used is to have a file upload directory with permission
    > 755 and owned by the webserver user, in my case:
    > chown apache:apache directory_name


    This is making better sense to me - owner apache...
    but in the script file(not from the web) i use the ticks
    `chown apache:apache dir_name`
    #>invalid user name

    so i did
    #>users - just guessing...im a *nix rookie
    and bepweb was listed...

    `chown bepweb dir_name`

    #>Operation not permitted

    Bummer

    >
    > This allows the server process to write any uploaded files to the
    > directory using this code:
    >
    > local_file = @cgi['url'].local_path
    > original_filename = @cgi['url'].original_filename
    > path = "../tutorials/gfx/" + original_filename
    > FileUtils.cp(local_file.untaint, path.untaint)
    >

    Sweet this is much simpler than what i was doing. My next host, i
    hope, is running 1.8 so i can use FileUtils

    > Actually I just tried it with 744 and that works too.
    >
    > Anyone else see any security problems with that?
    >
    > regards,
    >
    > Martin


    Thanks for the help,paul

    OT: I told folks i was checking out hub.org. Cant recommend them,
    unfortunately. If i find a good host i'll post. I'm currently checking
    out a host that is giving me a dedicated box for 29 a month....not big
    hw but adequate...i hope...
     
    paul vudmaska, May 18, 2004
    #3
  4. On Wed, 2004-05-19 at 06:18, paul vudmaska wrote:
    > Martin Stannard <> wrote in message news:<1084887383.14209.10.camel@beyond>...


    > > The method I've used is to have a file upload directory with permission
    > > 755 and owned by the webserver user, in my case:
    > > chown apache:apache directory_name

    >
    > This is making better sense to me - owner apache...
    > but in the script file(not from the web) i use the ticks
    > `chown apache:apache dir_name`
    > #>invalid user name
    >
    > so i did
    > #>users - just guessing...im a *nix rookie
    > and bepweb was listed...
    >
    > `chown bepweb dir_name`
    >
    > #>Operation not permitted
    >
    > Bummer
    >
    > >
    > >

    > Sweet this is much simpler than what i was doing. My next host, i
    > hope, is running 1.8 so i can use FileUtils
    >
    > > Actually I just tried it with 744 and that works too.
    > >
    > > Anyone else see any security problems with that?
    > >
    > > regards,
    > >
    > > Martin

    >
    > Thanks for the help,paul
    >
    > OT: I told folks i was checking out hub.org. Cant recommend them,
    > unfortunately. If i find a good host i'll post. I'm currently checking
    > out a host that is giving me a dedicated box for 29 a month....not big
    > hw but adequate...i hope...


    Hi Paul,

    I just set up the directory beforehand manually - the chown is just
    typed on the command line. Do you have to change permissions from within
    your script?

    Try rootr.net for hosting.

    gotta run,

    Martin
     
    Martin Stannard, May 18, 2004
    #4
  5. Martin Stannard <> wrote in message news:<1084917054.7623.2.camel@beyond>...
    > On Wed, 2004-05-19 at 06:18, paul vudmaska wrote:
    > > Martin Stannard <> wrote in message news:<1084887383.14209.10.camel@beyond>...

    >
    > > > The method I've used is to have a file upload directory with permission
    > > > 755 and owned by the webserver user, in my case:
    > > > chown apache:apache directory_name

    > >
    > > This is making better sense to me - owner apache...
    > > but in the script file(not from the web) i use the ticks
    > > `chown apache:apache dir_name`
    > > #>invalid user name
    > >
    > > so i did
    > > #>users - just guessing...im a *nix rookie
    > > and bepweb was listed...
    > >
    > > `chown bepweb dir_name`
    > >
    > > #>Operation not permitted
    > >
    > > Bummer
    > >
    > > >
    > > >

    > > Sweet this is much simpler than what i was doing. My next host, i
    > > hope, is running 1.8 so i can use FileUtils
    > >
    > > > Actually I just tried it with 744 and that works too.
    > > >
    > > > Anyone else see any security problems with that?
    > > >
    > > > regards,
    > > >
    > > > Martin

    > >
    > > Thanks for the help,paul
    > >
    > > OT: I told folks i was checking out hub.org. Cant recommend them,
    > > unfortunately. If i find a good host i'll post. I'm currently checking
    > > out a host that is giving me a dedicated box for 29 a month....not big
    > > hw but adequate...i hope...

    >
    > Hi Paul,
    >
    > I just set up the directory beforehand manually - the chown is just
    > typed on the command line. Do you have to change permissions from within
    > your script?


    No i dont have to but i've been creating a lot of sites and for each
    one i need to go in and recreate this structure for each host. Just
    wanted to automate it with a script.

    > Try rootr.net for hosting.


    :) Im using them currently and i've been fairly happy. However they
    are running Ruby 1.68 and Mysql 3.23. After running into a bug in
    mysql that brings pages down periodically i've pleaded with them to
    upgrade...at least mysql. Without luck.I did not want to share the
    ruby interpreter either.

    Thanks again for your help.
    Paul
     
    paul vudmaska, May 19, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Craig Deelsnyder
    Replies:
    1
    Views:
    4,652
    =?Utf-8?B?U2hhd24gS2VubmV5?=
    Jul 19, 2004
  2. roger
    Replies:
    2
    Views:
    1,022
    roger
    Oct 23, 2004
  3. hazz
    Replies:
    0
    Views:
    662
  4. Replies:
    2
    Views:
    491
    lordy
    Jun 30, 2006
  5. Jason Curl

    Writable strings

    Jason Curl, Jun 22, 2005, in forum: C Programming
    Replies:
    10
    Views:
    1,475
    Default User
    Jun 23, 2005
Loading...

Share This Page