1 |
I just re-read your original post. You should be able to do a similar |
2 |
thing with whatever web application you are using to set the umask for |
3 |
uploaded files. |
4 |
|
5 |
Zane W wrote: |
6 |
|
7 |
> change the umask on your ftpd server to something like 133:022, and |
8 |
> new files uploaded will have permissions of 644 with directories |
9 |
> getting 755. this should allow your script to work without problems |
10 |
> |
11 |
> z |
12 |
> Zhang Weiwu wrote: |
13 |
> |
14 |
>> Hello. I am using a script tool to backup the apache uploaded files |
15 |
>> (through ssh) on the web server. These files resident in a folder |
16 |
>> that belongs to 'apache' user. Each time a user upload a file within |
17 |
>> the web application, the uploaded file stays in that folder with mod |
18 |
>> 700. |
19 |
>> |
20 |
>> Because only apache user could read that file (700 permission), it |
21 |
>> makes it difficult to receive the files through ssh. This is what I did: |
22 |
>> 1) on the backup box (not the web server), create user apache, |
23 |
>> generate dsa key pair for it. |
24 |
>> 2) on the web server, create /home/httpd, put the public key of |
25 |
>> apache@backup_box in ~apache/.ssh/authorized_keys |
26 |
>> 3) on the web server, allow apache user login (by changing its shell |
27 |
>> from /bin/false to /bin/bash) |
28 |
>> 4) run the backup script on the backup box as apache. |
29 |
>> |
30 |
>> This raises a security problem. apache user being to be able to login |
31 |
>> through ssh. I am not very experienced to tell how dangerous this |
32 |
>> could be. I think I am not going to suffer from ssh dictionary |
33 |
>> attack, very simple reason: user apache (should) have no password, |
34 |
>> and ssh password login is turned off on web server. However, is there |
35 |
>> any other risks that could be caused by setting apache user's login |
36 |
>> shell to bash? |
37 |
>> |
38 |
>> Another idea might be changing all the uploaded file permission to |
39 |
>> something like 740, but new files are uploaded every day, they are |
40 |
>> automatically given permission 700. |
41 |
>> |
42 |
>> Thank you! |
43 |
>> |
44 |
> |
45 |
> |