Re: Permission rights on servers and managing them without hassle [was File Upload Permission denied]
Re: Permission rights on servers and managing them without hassle [was File Upload Permission denied]
- Subject: Re: Permission rights on servers and managing them without hassle [was File Upload Permission denied]
- From: Helge Städtler <email@hidden>
- Date: Fri, 12 Aug 2005 09:17:21 +0200
hello...
Am 12.08.2005 6:08 Uhr schrieb "LD" unter <email@hidden> / On
12.08.2005 6:08 Uhr "LD" wrote using address <email@hidden>:
> Hi there,
>
> On 12/08/2005, at 7:33 AM, Helge Städtler wrote:
>
>> If you have not changed anything at the default WebObjects Deployment
>> Installation, your deployed application will run under the user
>> "appserver"
>> or something like that.
>>
>> alternative A:
>> if this user is not able to write in the directory you specified
>> for the
>> upload, you get the error you report. there is one easy way to get
>> rid of
>> all these problems: make your app run with "root"-user-rights
>> instead of
>> "appserv"! this is done by changing ownership and group of the
>> complete
>> wotaskd-folder somewhere in
>> "/System/Library/WebObjects/JavaApplications/wotaskd.woa" to
>> "root / wheel".
>
> DO NOT do that. There is one practical alternative - "B" - and it's
> recursive :-)
>
>> Several people will now start crying...
>
> shocked in fact at such a suggestion ;-)
I think you should know about ALL alternatives. If you do not know this you
probably would miss this wisdom sometims. ;-)
>> but hey, this will solve your problem.
>> Other get concerned about security, bla bla bla.... but since your
>> server is a server is a server... where should there be a
>> securityproblem?
>
> Why indeed?! The assumption suggested is that there is NO possibility
> of error. Not a safe assumption.
ok. but this error must be some error that will allow someone THROUGH a
webobjectsapplication to manipulate the JVM-commands in a way so that he
will gain access to the machine right?
Is there any other way? I mean if you do not touch anything else? then your
security is dependent on the security of the JVM right? what should be the
reason to not trust in the engineering of the JVM? Its used worlwide
millions of times...
> A rodent bug in your own code, Apache's, etc etc (or even Apple's),
> for example, may allow some arbitrary code to snuff your system.
> That's not worth the risk when alternative B is simple to do...
>
> That's the whole idea of permissions - not only do they keep out the
> nasties but they act as a safe-guard for internal activities as well.
> Diverge from the path at your own risk. But don't it....
>
>> alternative B:
>> you could be the smart guy who simply changes the accessrights of the
>> directory where your files get uploaded to, to be owned by appserv.
>> this
>> should help significantly.
>
> Ahh, the way of wisdom ;-)
Ok, on my servers I would do it the "A" way, if we are talking business
applications.
I supposed this was kind'a provokation to some people. Perhaps there are
some better solutions here? Where is alternative "C"?
regards,
helge
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden