I wouldn't if I were you. It's a very scary idea.

If you insist, you could always write to file with a list of files to delete from the CGI and run a cron job that periodically does the actual deletion and empties the file list.

Hope this helps, -gjb-

Maybe I interpret the OP's question wrongly, but if the script in question presented the user with a list of the files they uploaded, and allows them to indicate which of those files are to be deleted by clicking check boxes or radio buttons, and the selection made is mapped to actual path/file at the server. Ie. The path information is not derived from any source that the user has the ability to edit. (Phew! A lot of caveats!)

Under those circumstances, there is no reason that files should not be deleted on behalf of the user is there?

If the fear is that the user might supply the names of files other than those which they might legitimately want to delete, I fail to see how marking files for deletion in the script and having another automated process delete them would be any more secure?

I'm not really up-to-scratch on *nix security, but surely it would be possible to create an account specifically for running the webserver that only had delete privileges in the upload directory and nowhere else?

---

Okay you lot, get your wings on the left, halos on the right. It's one size fits all, and "No!", you can't have a different color.
Pick up your cloud down the end and "Yes" if you get allocated a grey one they are a bit damp under foot, but someone has to get them.
Get used to the wings fast cos its an 8 hour day...unless the Govenor calls for a cyclone or hurricane, in which case 16 hour shifts are mandatory.
Just be grateful that you arrived just as the tornado season finished. Them buggers are real work.

If one's very careful (and sufficiently self-confident ;-) it's possible to code this in a way that's pretty safe. The problem is that if somehow the use might get a filepath smuggled in somehow, there's a lot of havoc to be created.

The Unix permissions are not as fine-grained as those of Windows NT/2000. The Unix write permission allows one to change and delete the object. This means that any file that can be written by the userID running the httpd can be changed/deleted, including log files.

Again, if one can make absolutely sure that the user never gets to set filepaths, for example by using a hash to map an file ID to an actual file name, there's no problem in having users delete files.

I just wanted to stress that one has to be very alert when writing this kind of scripts.

Just my 2 cents, -gjb-

I second that idea.

Allowing other users to delete items is iffy. I'd like to suggest "marking" the files deleted, and generate a report of "deleted" files.

Now, I'm not against deleting files via CGI, but there are unforeseen dangers in allowing anyone to delete information from your server. If you do decide to allow file deletion, use strict; Taint (-T) and lots of self checking to make sure someone down the road doesn't decide to poke around and inadvertantly wipe out information you'd grown attached to.

John J Reiser
newrisedesigns.com

...because your script is running under apache that is "nobody"...

Well, one would hope that Apache is at least running scripts as a non-privileged account. I had the misfortune recently to come across an Apache installation on one of our Solaris boxes that was running scripts as root. A quick phone call to the sysadmin followed by some httpd.conf tweakage soon cleared that one up thankfully ;-)

-- vek --