Thanks to the help of a kind rubyist i’m able to write a script for
creating directories - some of them writable by the web server for
uploading files.

This permission works 0757 which amounts to
drwxr-xrwx

All privs for owner and other but not write for group.

Owner Group Other
r w x r w x r w x
4 2 1 4 2 1 4 2 1

7 5 7

I would have thot 0775 would have been better(not writable by other),
but that did not fly. What permission octet do the gurus recommend for
writable directories?

Seems to me, group should be the correct permission for the server.
Does’nt other mean the whole world and will allow them to put baddies
in there?

Thanks a bunch guys and gals,

ps: for those who’ve not checked
http://phrogz.net/ProgrammingRuby/frameset.html
it’s a great, dynamic online version of pickaxe - thanks to gavin.

Hi,

Thanks to the help of a kind rubyist i’m able to write a script for
creating directories - some of them writable by the web server for
uploading files.

This permission works 0757 which amounts to
drwxr-xrwx

All privs for owner and other but not write for group.

Owner Group Other
r w x r w x r w x
4 2 1 4 2 1 4 2 1

7 5 7

I would have thot 0775 would have been better(not writable by other),
but that did not fly. What permission octet do the gurus recommend for
writable directories?

Seems to me, group should be the correct permission for the server.
Does’nt other mean the whole world and will allow them to put baddies
in there?

Thanks a bunch guys and gals,

ps: for those who’ve not checked
Programming Ruby
it’s a great, dynamic online version of pickaxe - thanks to gavin.

The method I’ve used is to have a file upload directory with permission
755 and owned by the webserver user, in my case:
chown apache:apache directory_name

This allows the server process to write any uploaded files to the
directory using this code:

local_file = @cgi['url'].local_path
original_filename = @cgi['url'].original_filename
path = "../tutorials/gfx/" + original_filename
FileUtils.cp(local_file.untaint, path.untaint)

Actually I just tried it with 744 and that works too.

Anyone else see any security problems with that?

regards,

Martin

Martin Stannard martins@aardvark.net.au wrote in message news:1084887383.14209.10.camel@beyond…

Hi,

Thanks to the help of a kind rubyist i’m able to write a script for
creating directories - some of them writable by the web server for
uploading files.

This permission works 0757 which amounts to
drwxr-xrwx

All privs for owner and other but not write for group.

Owner Group Other
r w x r w x r w x
4 2 1 4 2 1 4 2 1

7 5 7

I would have thot 0775 would have been better(not writable by other),
but that did not fly. What permission octet do the gurus recommend for
writable directories?

Seems to me, group should be the correct permission for the server.
Does’nt other mean the whole world and will allow them to put baddies
in there?

Thanks a bunch guys and gals,

ps: for those who’ve not checked
Programming Ruby
it’s a great, dynamic online version of pickaxe - thanks to gavin.

The method I’ve used is to have a file upload directory with permission
755 and owned by the webserver user, in my case:
chown apache:apache directory_name

This is making better sense to me - owner apache…
but in the script file(not from the web) i use the ticks
chown apache:apache dir_name
#>invalid user name

so i did
#>users - just guessing…im a *nix rookie
and bepweb was listed…

chown bepweb dir_name

#>Operation not permitted

Bummer

This allows the server process to write any uploaded files to the
directory using this code:

local_file = @cgi['url'].local_path
original_filename = @cgi['url'].original_filename
path = "../tutorials/gfx/" + original_filename
FileUtils.cp(local_file.untaint, path.untaint)

Sweet this is much simpler than what i was doing. My next host, i
hope, is running 1.8 so i can use FileUtils

Actually I just tried it with 744 and that works too.

Anyone else see any security problems with that?

regards,

Martin

Thanks for the help,paul

OT: I told folks i was checking out hub.org. Cant recommend them,
unfortunately. If i find a good host i’ll post. I’m currently checking
out a host that is giving me a dedicated box for 29 a month…not big
hw but adequate…i hope…

Hi Paul,

I just set up the directory beforehand manually - the chown is just
typed on the command line. Do you have to change permissions from within
your script?

Try rootr.net for hosting.

gotta run,

Martin

Hi,

Just found a problem with that file uploading code I posted earlier. It
works when the uploaded file is passed as a Tempfile object but sometimes
the uploaded file is passed as a StringIO object. This seems to be
dependent on the size of the file but I haven’t dug into the cgi code to
confirm this. Anyway the upshot of this is that I’ve changed my code to
the following:

url = @cgi[‘url’]

TODO: add appropriate type checking here

original_filename = url.original_filename
path = “…/tutorials/gfx/” + original_filename
if url.kind_of?(Tempfile)
local_file = url.local_path
FileUtils.cp(local_file.untaint, path.untaint)
else # assume it’s a StringIO
File.open(path.untaint, “w”) { |f|
f << url.read
}
end

regards,

Martin

Martin Stannard martins@aardvark.net.au wrote in message news:1084917054.7623.2.camel@beyond…

Martin Stannard martins@aardvark.net.au wrote in message news:1084887383.14209.10.camel@beyond…

The method I’ve used is to have a file upload directory with permission
755 and owned by the webserver user, in my case:
chown apache:apache directory_name

This is making better sense to me - owner apache…
but in the script file(not from the web) i use the ticks
chown apache:apache dir_name
#>invalid user name

so i did
#>users - just guessing…im a *nix rookie
and bepweb was listed…

chown bepweb dir_name

#>Operation not permitted

Bummer

Sweet this is much simpler than what i was doing. My next host, i
hope, is running 1.8 so i can use FileUtils

Actually I just tried it with 744 and that works too.

Anyone else see any security problems with that?

regards,

Martin

Thanks for the help,paul

OT: I told folks i was checking out hub.org. Cant recommend them,
unfortunately. If i find a good host i’ll post. I’m currently checking
out a host that is giving me a dedicated box for 29 a month…not big
hw but adequate…i hope…

Hi Paul,

I just set up the directory beforehand manually - the chown is just
typed on the command line. Do you have to change permissions from within
your script?

No i dont have to but i’ve been creating a lot of sites and for each
one i need to go in and recreate this structure for each host. Just
wanted to automate it with a script.

Try rootr.net for hosting.

Im using them currently and i’ve been fairly happy. However they
are running Ruby 1.68 and Mysql 3.23. After running into a bug in
mysql that brings pages down periodically i’ve pleaded with them to
upgrade…at least mysql. Without luck.I did not want to share the
ruby interpreter either.

Thanks again for your help.
Paul