I have inherited an old CMS system that I have just cleansed from a massive hack attack. I copied all the files and databases, scrapped the old server, cleansed the files via various means, cleansed the database.. built a new ubuntu 14 server with uber safeguards (many countries blocked, trip wire and so on) and we have been running fine for a few days now.. except the original loophole that kicked all this off is still open. (a document management component)
I have to make an upgrade to this very old component which is going to take me a few days as its been heavily customised, but the weak spot it has created is that people can use a system to upload files to the images folder and execute a script
Currently I have the entire folder set to readonly which is a draconian fix to temporarily stop any new uploads.. which is preventing the component being used whereas all I need to do is set the ./images folder to read / write but just NOT execute for anything inside it.
I just to make sure than anyone uploading files using this system automatically inherit this permission (or lack of).. and ideally only allow jpg,pdf and gif file types (.htaccess I suspect).
How can I best set this inheritance on the images folder?
This folder is only accessed by the website (i.e www-data:www-data)
There is no other access of complex multiple group permissions required.
/bin/sbin/usr/bin/usr/sbin,etc? I know you moved to a new server, but are you able to actually stop apache from running such things?More importantly, to answer your question, you need to set an ACL on the folder.
– Justin Edmands May 01 '15 at 16:48