[pmwiki-users] Security breach?
DaveG
pmwiki at solidgone.com
Tue Dec 23 09:00:23 CST 2008
I'd suggest using something like WinSCP -- which is free, and lets you
set the GUID flag.
PKHG wrote:
> Hallo,
>
> Using an FTP-client for changing protection codes, I do not have the
> possibility to set the guid bit (I mean chmod 2777) ?!
>
> And (my) ftp direct does not have a chmod at all?
>
> So that ‘trick’ is not possible for everybody?
>
> Greetings
>
> Peter
>
>
>
> *Van:* pmwiki-users-bounces at pmichaud.com
> [mailto:pmwiki-users-bounces at pmichaud.com] *Namens *James M
> *Verzonden:* dinsdag 23 december 2008 1:39
> *CC:* pmwiki-users at pmichaud.com
> *Onderwerp:* Re: [pmwiki-users] Security breach?
>
>
>
> On Mon, Dec 22, 2008 at 11:53 PM, DaveG <pmwiki at solidgone.com
> <mailto:pmwiki at solidgone.com>> wrote:
>
> Setting things to 755 is safer than 777. The question is, will that work
> on your site, with your host, with your version of PHP, with the setup
> of the webserver you have? I don't know. Easiest way to find out is
> after creating wiki.d and uploads, to set them to 755; if you can create
> or edit a wiki page through the normal way, then your done.
>
>
>
>
>
> As far as I understand, setting to 755 won't usually work (and doesn't
> on my system), unless the server has the same user id as the owner of
> the pmwiki directory: with 755 only the user (owner) has write
> permission. Pm's suggestion of using the setgid bit is a way round that.
>
> So it seems the correct steps are as follows:
>
>
>
> 1. In the pmwiki directory, type
>
> chmod 2777 .
>
> (with the dot) - this makes the pmwiki completely open for the moment,
> but it has the added effect of using the setgid bit (that's what the 2
> refers to in 2777)
>
>
>
> 2. Execute pmwiki.php through your browser. This will create the wiki.d
> directory.
>
> (Suggestion: if you already have a wiki.d directory, rename it say to
> xwiki.d. create the wiki.d directory as above and then move all the
> files across - there's prbably a better way - but I don't know what it
> would be - I think you need the server to be the new owner)
>
>
>
> If you use uploads, then do an upload to create the new directory
> (perhaps this can be improved) (and use the same trick as before if you
> already have an uploads directory)
>
>
>
> 3. Still in the pmwiki directory, type
>
> chmod 755 .
>
> and that reverts the pmwiki directory to be as it was before you started.
>
>
>
>
>
> The upshot is that the wiki.d (and uploads) directory is now owned by
> the server - and the ownership is recorded as "apache" or "nobody" (it's
> "apache" on mine) or perhaps something else, but this magic setgid (set
> group id) makes sure the server is in the same group as you (the user),
> so you can administer the files too.
>
>
>
> Does that make sense? (And is it correct? - I'm not a unix expert -
> just a long-time long-in-the-tooth user)
>
>
>
> James
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
More information about the pmwiki-users
mailing list