|
Home > Archive > Apache Server configuration support > November 2006 > write but can't delete
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
write but can't delete
|
|
|
| hi,
The bodody user can write into a directory, but once it is written, I
don't want the files and the directory to be deleted.
Is there a possible solution?
| |
|
| Ken wrote:
> hi,
>
> The bodody user can write into a directory, but once it is written, I
> don't want the files and the directory to be deleted.
>
> Is there a possible solution?
>
If he owns the directory/file, what you want won't work.
| |
| Davide Bianchi 2006-11-18, 7:23 am |
| On 2006-11-18, Ken <KenPerl@gmail.com> wrote:
> The bodody user can write into a directory, but once it is written, I
> don't want the files and the directory to be deleted.
If he can write in the directory then he can also delete the files
written. (What has this to do with Apache or Configuration?)
Now, since your solution doesn't work, why don't you explain your
problem?
Davide
--
The Magic of Windows: Turns a 486 back into a PC/XT.
| |
|
| my problem is,
web users can create/write file into a directory in the server,
however, once it is written, it is very importand data and I don't want
the users delete them again by accident, for example, rm command is
running by the nobody, then the important data will be deleted. I want
to prevent this happen.
Can I use a daemon to monitor the data in the directory, and change the
owner to other once it is finish the writing into the dir.
or apache can handle this well and has its own solution. I know some
ftpd support this feature, anonymous user can upload file but once it
is uploaded, it can't be deleted again.
"Davide Bianchi =D0=B4=B5=C0=A3=BA
"
> On 2006-11-18, Ken <KenPerl@gmail.com> wrote:
>
> If he can write in the directory then he can also delete the files
> written. (What has this to do with Apache or Configuration?)
>
> Now, since your solution doesn't work, why don't you explain your
> problem?
>
> Davide
>=20
>=20
> --=20
> The Magic of Windows: Turns a 486 back into a PC/XT.
| |
| shimmyshack 2006-11-19, 1:30 am |
|
> ftpd support this feature, anonymous user can upload file but once it
> is uploaded, it can't be deleted again.
yeah just use ftp, give the users the rights to read write append but
not delete. This can be very annoying indeed though, as a user may
upload half a file, and then not be able to kill it.
If you are using HTTP upload via apache to get important data, this
isnt the right way as http upload is vulnerable to network issues, to
my knowledge browsers don't support resume when uploading, (dont think
apache does either) Apache is not primarily designed to manage file
permissions, whereas a correctly setup ftpd is going to be more
configurable. (You can use mode Z, and resume etc... provided your
users can install filezilla, or some other ftp client for a common OS)
which system are you on, I like pureFTPd, do you have a preferred
ftp-daemon?
Perhaps though if you are determined to use HTTP upload why not
consider using md5(microtime) to rename the file, and store the mapping
of this -> filename in a database on flatfile, and/or move the file off
away from the web document root using cron. Making the filename mapping
reduces the risk of a targetted delete, before the next 60secs is up.
Have you thought about modifying the rm command to prevent recursive
delete for the apache user?
| |
|
| By changing rm is a good idea, but I think if there is other better and
easy solution, don't need change current code. maybe using the cron and
move the data to another dir not owned by nobody, or call a setuid
script in current code and do the same moving.
But, I'm still looking for the similar config/module in apache like the
ftpd does. If there is, it maybe the easiest approach, the importand
data is created by the current code, not by uploading.
"shimmyshack =D0=B4=B5=C0=A3=BA
"
>
> yeah just use ftp, give the users the rights to read write append but
> not delete. This can be very annoying indeed though, as a user may
> upload half a file, and then not be able to kill it.
>
>
> If you are using HTTP upload via apache to get important data, this
> isnt the right way as http upload is vulnerable to network issues, to
> my knowledge browsers don't support resume when uploading, (dont think
> apache does either) Apache is not primarily designed to manage file
> permissions, whereas a correctly setup ftpd is going to be more
> configurable. (You can use mode Z, and resume etc... provided your
> users can install filezilla, or some other ftp client for a common OS)
>
> which system are you on, I like pureFTPd, do you have a preferred
> ftp-daemon?
>
> Perhaps though if you are determined to use HTTP upload why not
> consider using md5(microtime) to rename the file, and store the mapping
> of this -> filename in a database on flatfile, and/or move the file off
> away from the web document root using cron. Making the filename mapping
> reduces the risk of a targetted delete, before the next 60secs is up.
>
> Have you thought about modifying the rm command to prevent recursive
> delete for the apache user?
|
|
|
|
|