[Chicago-talk] chown inside a script
Jay Strauss
me at heyjay.com
Thu Dec 6 14:51:24 PST 2007
On Dec 6, 2007 3:47 PM, Jason Rexilius <jason at hostedlabs.com> wrote:
> Yeah, that isn't as bad as having this exposed to the internet.
>
> Here is a way that breaks the tasks apart and gives you ability to wrap
> security controls around bits.
>
> 1) Write a cron job that runs every minute, as root that simply does a
> mv or a cp -p && rm of filenames in a list (for security sake, stripping
> out any '..' and prepending a hard-coded path prefix.)
>
> 2) Write a cgi-script that simply writes a list of files to be moved
> that the cron job reads. Something as simple as a touch
> /tmp/movefiles/[name_of_file] (which cron does readdir then removes tmp
> files when done).
>
> I just like keeping suid root script out of line of cgi..
I guess better yet, just run the cron job on the "closed" directory,
and do the code I'm currently doing in the cgi to determine file
ownership.
thanks
Jay
More information about the Chicago-talk
mailing list