[pmwiki-users] Security breach?

Mon Dec 22 17:53:53 CST 2008

Setting things to 755 is safer than 777. The question is, will that work 
on your site, with your host, with your version of PHP, with the setup 
of the webserver you have? I don't know. Easiest way to find out is 
after creating wiki.d and uploads, to set them to 755; if you can create 
or edit a wiki page through the normal way, then your done.

And I agree, the wiki page is not too clear. I'm just don't have enough 
knowledge to confidently update it.

  ~ ~ Dave

adam overton wrote:
> 
> hi rogut
> thanks for the email, but since i'm not a trained web-admin, that page 
> you sent is simply mystifying, and doesn't seem to say anything about 
> changing permissions of folders to 775 as Dave suggested.
> if pmwiki is so open to multiple levels of users, and what you say is 
> true, wouldn't the pmwiki documentation somewhere simply say:
> 
> step 1: change permissions to 777
> step 2: create your directories
> step 3: change your permissions back to ___
> 
> ?
> i don't see anything anywhere on the site that says this in layman's 
> language. everything else is so clear and straight-forward, but this 
> huge security issue doesn't say anywhere what to set. and, as stated in 
> the safe-mode section, if i recall correctly i had to change those two 
> directories, uploads and wiki.d, to 777 in order to be able to write 
> into them.
> 
> so, following what the pmwiki website seems to say, i've bascially got 
> everything set to 755 except uploads and wiki.d which are set to 777. if 
> this is not right, can someone (preferably patrick) put directly in 
> layman's terms what should be the correct settings? i really don't want 
> to make a drastic move dealing with security without seeing something in 
> print on the site that says "everything is going to just fine if ___", 
> know what i mean?
> 
> thx again!
> adam
> 
> 
>>
>> Message: 3
>> Date: Tue, 23 Dec 2008 00:13:30 +0200
>> From: Rogut?s <rogutes at googlemail.com <mailto:rogutes at googlemail.com>>
>> Subject: Re: [pmwiki-users] Security breach?
>> To: pmwiki-users at pmichaud.com <mailto:pmwiki-users at pmichaud.com>
>> Message-ID: <20081222221330.GA7454 at ugu.dokeda.lt 
>> <mailto:20081222221330.GA7454 at ugu.dokeda.lt>>
>> Content-Type: text/plain; charset=utf-8
>>
>> adam overton (2008-12-22 13:00):
>>>
>>> hi, is this true?
>>>
>>>> Either way, don't set
>>>> anything to 777.
>>>
>>>
>>> b/c the installation instructions for pmwiki (http://pmwiki.org/wiki/ 
>>> PmWiki/Installation) say setting uploads and wiki.d to 777. should  
>>> they be 775 instead? just wondering if there's any consensus on this  
>>> before i go start twiddling, changing permissions...
>>>
>>> thx
>>> adam
>>
>>
>> When starting with a clean PmWiki installation and navigating to
>> pmwiki.php, one is greeted with this rather familiar error message:
>> "PmWiki needs to have a writable $dir/ directory before it can continue."
>> and an explanation how to set appropriate permissions for wiki.d/. Two
>> suggestions are provided by Pm:
>> 1. Chmod wiki.d to 777.
>> 2. Chmod wiki.d to 2777 (use the setguid bit), reload and chmod it to
>>    whatever it was before.
>>
>> The second option is said to lead to "a slightly more secure
>> installation", but it is only displayed (and usable) if PHP safemode is
>> turned off.
>>
>> Refer to pmwiki.org for explanations:
>> http://pmwiki.org/wiki/PmWiki/FilePermissions
>>
>> Anyway, this kind of security (hiding of world writable directories to
>> other users) should be provided by the ones selling shared hosting
>> services.
>>
>>
>> --  Rogut?s
>>
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users