Ben-Nes Michael wrote: > > So what shell a web master should do if he want people to upload images > to directory ? > As i know he must give the a+w to the file. > is there other way ? [older stuff snipped] One of two ways: 1. Use file-upload through HTTP (Netscape's method, but already a standard), then SAFELY move it to a storage place. Do _NOT_ do anything as stupid as system("mv $filename /blah/blah") (if using Perl, for example). 2. Allow them to upload the file through an anonymous FTP directory (also do-able through a web interface, not too much fuss) and you get to have the ftpd handle the security. Unfurtunately, there have been tons of holes reported with various implementations of anonymous ftp (in WuFTPD, as well as ProFTPD - even the stock wuftpd that comes with rh6.1 is vulenrable to a root(!) exploit, even though you are supposedly chroot'ed - unfurtunately it's trivial to code a module that bypasses chroot and have wuftpd load it :) Make sure that files uploaded are not readable by anonymous users (perhaps not by anyone else either). Like this: upload /home/ftp /incoming yes [user] [group] 0000 nodirs -- "You will now die. Make whatever rituals are necessary for your species." - Ur-Quan, Kohr-Ah
S/MIME Cryptographic Signature