diff --git a/utils/create_image.in b/utils/create_image.in
index 89a9a446719ebbee5632c21ae7da0c29195923de..e146fff0804c8cbff93d81d074ec71ded16e2053 100755
--- a/utils/create_image.in
+++ b/utils/create_image.in
@@ -9,6 +9,7 @@
 use English;
 use Getopt::Std;
 use POSIX qw(setsid);
+use File::Basename;
 
 #
 # Create a disk image.
@@ -203,9 +204,13 @@ my $filename = $imageid_row{'path'};
 my $isglobal = $imageid_row{'global'};
 
 #
-# If a global image, make up a name. Admin person will need to copy image
-# to boss.
+# Throw an error if the image is global; we cannot write images into
+# /usr/testbed/images. In fact, lets check the filename just in case.
 #
+if ($isglobal) {
+    die("*** $0:\n".
+	"    Not able to autocreate images that are marked global!\n");
+}
 
 # Untaint. Very silly.
 if ($filename =~ /^([-\w\.\/\+]+)$/) {
@@ -216,6 +221,34 @@ else {
 	"    Bad filename: $filename!\n");
 }
 
+#
+# Make sure real path is someplace that makes sense; remember that the
+# image is created on the nodes, and it NFS mounts directories on ops.
+# Writing the image to anyplace else is just going to break things.
+#
+# Use realpath to resolve any symlinks.
+#
+my $translated = `realpath $filename`;
+if ($translated =~ /^([-\w\.\/]+)$/) {
+    $filename = $1;
+}
+else {
+    die("*** $0:\n".
+	"    Bad data returned by realpath: $translated\n");
+}
+
+#
+# The file must reside in /proj, /groups, or /users. Since this script
+# runs as the caller, regular file permission checks ensure its a file
+# the user is allowed to use. 
+#
+if (! ($filename =~ /^\/proj/) &&
+    ! ($filename =~ /^\/groups/) &&
+    ! ($filename =~ /^\/users/)) {
+    die("*** $0:\n".
+	"    $filename does not resolve to an allowed directory!\n");
+}
+
 #
 # Be sure to kill off running frisbee. If a node is trying to load that
 # image, well tough. 
diff --git a/www/defs.php3.in b/www/defs.php3.in
index 9f27dcdf1b652036dfa650f09c714d687f30a168..44749b81c190f06c3f1188bb2efc6a32b35b2c52 100644
--- a/www/defs.php3.in
+++ b/www/defs.php3.in
@@ -209,6 +209,7 @@ define("SUEXEC_ACTION_CONTINUE",	0);
 define("SUEXEC_ACTION_DIE",		1);
 define("SUEXEC_ACTION_USERERROR",	2);
 define("SUEXEC_ACTION_IGNORE",		3);
+define("SUEXEC_ACTION_DUPDIE",		4);
 
 #
 # An suexec error.
@@ -235,6 +236,10 @@ function SUEXECERROR($action)
         break;
     case SUEXEC_ACTION_IGNORE:
 	break;
+    case SUEXEC_ACTION_DUPDIE:
+	TBERROR($foo, 0, 1);
+	USERERROR("<XMP>$foo</XMP>", 1);
+        break;
     default:
 	TBERROR($foo, 1, 1);
     }
diff --git a/www/loadimage.php3 b/www/loadimage.php3
index 032c883a2ea8de61f7fcf240f111a5245e03e9c8..c7fac0377dfdb1d4010cf30d830cf3f840581cb3 100644
--- a/www/loadimage.php3
+++ b/www/loadimage.php3
@@ -1,7 +1,7 @@
 <?php
 #
 # EMULAB-COPYRIGHT
-# Copyright (c) 2000-2003 University of Utah and the Flux Group.
+# Copyright (c) 2000-2004 University of Utah and the Flux Group.
 # All rights reserved.
 #
 include("defs.php3");
@@ -80,7 +80,7 @@ if (! TBNodeAccessCheck($uid, $node, $TB_NODEACCESS_LOADIMAGE)) {
 }
 
 # Should check for file file_exists($image_path),
-# but that's too messy.
+# but too messy.
 
 if (! isset($confirmed) ) {
     echo "<center><form action='loadimage.php3' method='post'>\n".
@@ -107,7 +107,8 @@ echo "<br>
       <br><br>\n";
 flush();
 
-SUEXEC($uid, $unix_gid, "webcreateimage -p $image_pid $image_name $node", 1);
+SUEXEC($uid, $unix_gid, "webcreateimage -p $image_pid $image_name $node",
+       SUEXEC_ACTION_DUPDIE);
 
 echo "This will take 10 minutes or more; you will receive email
       notification when the snapshot is complete. In the meantime,
diff --git a/www/newimageid.php3 b/www/newimageid.php3
index e8d91cb2a121e84f60120d23aa9357647c2fb1c7..f36048ccd5b7b98474ae6d00b565a913b7a79dfe 100644
--- a/www/newimageid.php3
+++ b/www/newimageid.php3
@@ -896,7 +896,8 @@ if (isset($node)) {
           <br><br>\n";
     flush();
 
-    SUEXEC($uid, $unix_gid, "webcreateimage -p $pid $imagename $node", 1);
+    SUEXEC($uid, $unix_gid, "webcreateimage -p $pid $imagename $node",
+	   SUEXEC_ACTION_DUPDIE);
 
     echo "This will take 10 minutes or more; you will receive email
           notification when the image is complete. In the meantime,
diff --git a/www/newimageid_ez.php3 b/www/newimageid_ez.php3
index 37fbbefe51a278ec21cc33edd3b10ac24c0e44d5..11cb44750c2f56aa9118e449af7bfe2fb3dc68e9 100644
--- a/www/newimageid_ez.php3
+++ b/www/newimageid_ez.php3
@@ -879,7 +879,7 @@ if ($cancelled) {
 $confirmationWarning = "";
 
 #
-# If user doesn't define a node to suck the image from,
+# If user does not define a node to suck the image from,
 # we seek confirmation.
 #
 if (! isset($node)) {
@@ -1041,7 +1041,8 @@ if (isset($node)) {
           <br><br>\n";
     flush();
 
-    SUEXEC($uid, $unix_gid, "webcreateimage -p $pid $imagename $node", 1);
+    SUEXEC($uid, $unix_gid, "webcreateimage -p $pid $imagename $node",
+	   SUEXEC_ACTION_DUPDIE);
 
     echo "This will take 10 minutes or more; you will receive email
           notification when the image is complete. In the meantime,