I've developed a web application that lets the users to upload images and transform them to later download them again transformed. I obviously had to give apache user permissions to the directory where users can upload:
$ chown root:www-data uploadFolder
$ chmod 1775 uploadFolder
This, gives apache group all permissions, except removing.
The application creates a directory for each user session inside the uploadFolder
directory with 0700
permissions, and saves the user's images inside.
The uploadFolder
is inside the application directory.
When the image is uploaded, it is served directly (like a link) to the client.
A crontab job is executing a script every 20 minutes, that checks which sessions are active and removes all files and folders inside uploadFolder
that doesn't match any active session.
It's working fine since two months ago, but I'm not sure if it could be dangerous for my application, database, or other sites in the same VPS.
Does anybody know the risk of being permissive in this situation?
Is there any alternative to avoid it?
This is my apache site configuration:
<VirtualHost *:80>
ServerName www.itransformer.es
ServerAlias itransformer.es *.itransformer.es
DocumentRoot /siteFolder
<Directory /var/www/itransformer-2.0/web>
AllowOverride all
Options -Indexes
</Directory>
</VirtualHost>
Added this snippet code to Apache site configuration: (this should avoid reading .htaccess
files)
<Directory /uploadFolder>
AllowOverride none
Options -Indexes
</Directory>