[pmwiki-users] Uploaded files world readable!?

Oliver Betz list_ob at gmx.net
Mon Dec 31 10:19:27 CST 2012


Petko Yotov wrote:

(BTW sorry to all for my triple posting during the mailing list
hiccup)

[...]

>I assume that on some installations, one can have the FTP account, the the  
>PHP CGI/FastCGI process and the HTTP server all 3 different owners, and if  
>the server doesn't have read permissions, visitors will see the error 403  
>forbidden.

I know two hosters running Apache under one single account per server,
therefore files processed by Apache need "group" (df.eu) or
"other"(variomedia.de) permissions.

http://www.df.eu/de/service/df-faq/webhosting/weitere-technische-faq/rechtevergabe/

At both hosters, PHP runs under the customers account, therefore only
"owner" permissions are required for everything processed by PHP.

[...]

>Patrick, do you think this second argument should be made modifiable by a  
>wiki admin? And should it be 0444 by default or O?

I would appreciate this.

Where I use $EnableDirectDownload=0;, I don't need to add permissions
for group or other.

And we also should think about _removing_ permissions, see below!

>The function fixperms() is only called with a second argument from  
>upload.php. This second argument was added in version 2.0.devel27 (25- 
>Nov-2004).
>
>> > BTW: There is no "fixperms" for "Mini" thumbnails.
>
>Both Thumblist and Mini don't use the fixperms() function for the  
>thumbnails. Indeed, since 2006, nobody has told me there was a problem with  
>permissions. But also, both recipes provide a way to remove the thumbnails  
>from within the wiki with ?action=purgethumbs so probably nobody needed  
>this, ever.

There seem to be default permissions for files created by PHP, and
they differ among hosting providers.

I found 0640 and 0664 permissions for Mini thumbs. The latter is
nonsense IMNSHO, I already asked the hosting provider how I can change
it.

Files uploaded by PmWiki got 0664 in all three cases - fixperms adds
unneeded group write (and read) permissions even if PHP runs under the
customers account.

If I understand correctly, other customers on the same server can
therefore not only read files written by PmWiki but also write them if
they can guess the file path.

Oliver
-- 
Oliver Betz, Muenchen (oliverbetz.de)




More information about the pmwiki-users mailing list