Subj : Re: Proper Permissions
To   : comp.os.linux
From : ibuprofin
Date : Fri Dec 24 2004 04:37 pm

In article <1103854978.982638@nntp.acecape.com>, daniel kaplan wrote:

>my train of thought was this...a user on my system wants to post photo's of
>him/herself.  so in the temp directory, from a web browser (i should have
>stated that) that user goes to a form, which using my perl script, deposits
>the phot into a folder that can only be written to.  but not read.

OK - but you would normally put it so that only the owner can drop the
stuff there, so that would really want permissions 700.   There is a similar
configuration used for returning homework assignments. The instructor creates
a directory that the students can write to, but not read or execute. The trick
here is that there is a daemon that monitors the directory, and as soon as
something is deposited there, the daemon moves it to another directory
where the students can't access.  The most common setup is that the
directory is owned by the instructor and the group "students", and has
permissions 720 - meaning that members of the group 'students' can write
there, but no outsiders. The damon that moves the file (to reduce the
window of sabotage) also changes permissions and ownership as needed. This
also reduces the chance of becoming a warez storage point.

Another technique might be for your perl script to run as a group that
has permission to write to the directory, and creates the file with the
ownership of the photo supplier. Your script has the right to write, but
the owner of the photo need only fill in the appropriate block indicating
ownership. After approval, you can then move the photo to the appropriate
directory, and perhaps change the 'group' ownership to something more
appropriate.

        Old guy

.