[pmwiki-users] Security breach?

DaveG pmwiki at solidgone.com
Tue Dec 23 09:00:23 CST 2008 

I'd suggest using something like WinSCP -- which is free, and lets you 
set the GUID flag.

PKHG wrote:
> Hallo,
> 
> Using an FTP-client for changing protection codes, I do not have the 
> possibility to set the guid bit (I mean chmod 2777) ?!
> 
> And (my) ftp direct does not have a chmod at all?
> 
> So that ‘trick’ is not possible for everybody?
> 
> Greetings
> 
>           Peter
> 
>  
> 
> *Van:* pmwiki-users-bounces at pmichaud.com 
> [mailto:pmwiki-users-bounces at pmichaud.com] *Namens *James M
> *Verzonden:* dinsdag 23 december 2008 1:39
> *CC:* pmwiki-users at pmichaud.com
> *Onderwerp:* Re: [pmwiki-users] Security breach?
> 
>  
> 
> On Mon, Dec 22, 2008 at 11:53 PM, DaveG <pmwiki at solidgone.com 
> <mailto:pmwiki at solidgone.com>> wrote:
> 
>     Setting things to 755 is safer than 777. The question is, will that work
>     on your site, with your host, with your version of PHP, with the setup
>     of the webserver you have? I don't know. Easiest way to find out is
>     after creating wiki.d and uploads, to set them to 755; if you can create
>     or edit a wiki page through the normal way, then your done.
> 
>  
> 
>  
> 
> As far as I understand, setting to 755 won't usually work (and doesn't 
> on my system), unless the server has the same user id as the owner of 
> the pmwiki directory: with 755 only the user (owner) has write 
> permission. Pm's suggestion of using the setgid bit is a way round that.  
> 
> So it seems the correct steps are as follows:
> 
>  
> 
> 1.  In the pmwiki directory, type
> 
> chmod 2777 .
> 
> (with the dot) - this makes the pmwiki completely open for the moment, 
> but it has the added effect of using the setgid bit (that's what the 2 
> refers to in 2777)
> 
>  
> 
> 2. Execute pmwiki.php through your browser.  This will create the wiki.d 
> directory. 
> 
> (Suggestion: if you already have a wiki.d directory, rename it say to 
> xwiki.d. create the wiki.d directory as above and then move all the 
> files across - there's prbably a better way - but I don't know what it 
> would be - I think you need the server to be the new owner)
> 
>  
> 
> If you use uploads, then do an upload to create the new directory 
> (perhaps this can be improved) (and use the same trick as before if you 
> already have an uploads directory)
> 
>  
> 
> 3. Still in the pmwiki directory, type
> 
> chmod 755 .
> 
> and that reverts the pmwiki directory to be as it was before you started. 
> 
>  
> 
>  
> 
> The upshot is that the wiki.d (and uploads) directory is now owned by 
> the server - and the ownership is recorded as "apache" or "nobody" (it's 
> "apache" on mine) or perhaps something else, but this magic setgid (set 
> group id) makes sure the server is in the same group as you (the user), 
> so you can administer the files too. 
> 
>  
> 
> Does that make sense?  (And is it correct? - I'm not a unix expert - 
> just a long-time long-in-the-tooth user)
> 
>  
> 
> James
> 
>  
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users

More information about the pmwiki-users mailing list