[cobalt-users] My eternal quest for perfect file uploads under PHP

[Marco Baurdoux <linux@xxxxxxxxxxxxx>]

About  week ago I posted a stupid message about, File uploads, PHP and any
eventual security bugs ( which were no security bugs, me and my paranoïa
before thinking ).

However I still end up with the files being uploaded get the following
settings 
 -rw-------   1 httpd    root           66 Sep 13 15:47
        /home/sites/home/web/tmp/test.file

These are the file setting for an uploaded file on a machine where no patch
had been installed.

-rwxrwxr-x   1 httpd    home           66 Sep 13 15:41
        /home/sites/home/web/tmp/test.file

So if somebody says to me that the first setting are normal because they
have the same setting, I don't agree.

So here's part one of my quest.
I found out that OS-update-3.0 made some changes to the permissions. ( Woaw
guys I can read what is written on the cobalt website :-)) ). But now where
are these file permissions altered. I have been searching in the init
scripts for any signs of "umask", but haven't found any. I found one in the
/etc/profile file, but this one remained unchanged after applying the patch.

So does anyone else have a clue.
Maybe some people from Cobalt who worked on this patch ??


This was part one of my quest, solving the file permissions, as soon as that
one is solved I will come back either with the solution about how to solve
the group settings or otherwise with another questions about how to change
the group settings :-))

So for now, enjoy searching your machines for eventual clues, for this
problem.

=======================================================================

Marco Baurdoux
Unix Administrator
Infomaniak Network SA
Avenue de la Praille 26
1227 Carouge
Switzerland
Tel: +41 (0)22 820 35 41
Fax: +41 (0)22 820 35 46
http://web.infomaniak.ch

Linux/Unix is very user friendly,
it's just very picky about who its friends are !!!

=======================================================================