Giving permissions to apache user
I've developed a web application that lets the users to upload images and
transform them to later download them again transformed. I obviously had
to give apache user permissions to the directory where users can upload:
$ chown root:www-data uploadFolder
$ chmod 1775 uploadFolder
This, gives apache group all permissions, except removing.
The application creates a directory for each user session inside the
uploadFolder directory with 0700 permissions, and saves the user's images
inside.
A crontab job is executing a script every 20 minutes, that checks which
sessions are active and removes all files and folders inside uploadFolder
that doesn't match any active session.
It's working fine since two months ago, but I'm not sure if it could be
dangerous for my application, database, or other sites in the same VPS.
Does anybody know the risk of being permissive in this situation?
Is there any alternative to avoid it?
No comments:
Post a Comment