<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>no, that statement pertains to the 'pmwiki' directory, not the directories within it (wiki.d, uploads)</div><div><br></div><div><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Verdana; font-size: 11px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; ">i'm still confused - i </span>used option 3b, to create 'wiki.d' and 'uploads', which instructs me to set them to 777. it doesn't say anywhere to then change those directories to something else afterward, and so this doesn't jibe with the statement "don't set anything to 777". if it does, then the language on this essential installation page needs to be corrected, right?</div><div><br></div><div>?</div><div>thx!</div><div>adam</div><div><br></div><div><br></div><div><div>On 22 Dec 2008, at 3:08 PM, Radu Luchian wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Yes, it's true. On the page you're pointing to, you missed this text:<br><br>"Important: If you used method 3b, you should reset permissions by executing "<code class="escaped">chmod 755 .</code>" in the directory containing pmwiki.php."<br> <br>Cheers,<br>Radu<br><br><div class="gmail_quote">On Mon, Dec 22, 2008 at 2:00 PM, adam overton <span dir="ltr"><<a href="mailto:a@plus1plus1plus.org">a@plus1plus1plus.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <br> hi, is this true?<br> <br> > Either way, don't set<br> > anything to 777.<br> <br> <br> b/c the installation instructions for pmwiki (<a href="http://pmwiki.org/wiki/" target="_blank">http://pmwiki.org/wiki/</a><br> PmWiki/Installation) say setting uploads and wiki.d to 777. should<br> they be 775 instead? just wondering if there's any consensus on this<br> before i go start twiddling, changing permissions...<br> <br> thx<br> adam<br> <br> <br> > Message: 6<br> > Date: Mon, 22 Dec 2008 10:25:35 -0500<br> > From: DaveG <<a href="mailto:pmwiki@solidgone.com">pmwiki@solidgone.com</a>><br> > Subject: Re: [pmwiki-users] Security breach?<br> > To: <a href="mailto:jamesm1415@googlemail.com">jamesm1415@googlemail.com</a>, <a href="mailto:pmwiki-users@pmichaud.com">pmwiki-users@pmichaud.com</a><br> > Message-ID: <<a href="mailto:4a708741ac82d970e15efebd74de3dd0@solidgone.com">4a708741ac82d970e15efebd74de3dd0@solidgone.com</a>><br> > Content-Type: text/plain; charset="UTF-8"<br> ><br> ><br> >> What happens is that the hackers use the uploads directory<br> >> (with 777 permissions) to upload php files, and then it seems<br> >> these php<br> >> files can be used to access other parts of the filesystem (if I<br> > understood<br> > <...snip...><br> >> If a directory has 777 permissions, is there anything to stop someone<br> >> putting an arbitrary file there??<br> > Not sure why you have directories set to 777; my uploads and wiki.d<br> > directories are all 775; most other directories are 755. Not sure<br> > why some<br> > are 775 -- I suspect they could be changed to 755. Either way,<br> > don't set<br> > anything to 777.<br> ><br> > ~ ~ Dave<br> ><br> ><br> ><br> > ------------------------------<br> ><br> > Message: 7<br> > Date: Mon, 22 Dec 2008 13:45:52 -0200<br> > From: Guillermo Calderon - INCO <<a href="mailto:calderon@fing.edu.uy">calderon@fing.edu.uy</a>><br> > Subject: [pmwiki-users] question about Cookbook/SwitchToSSLMode<br> > To: <a href="mailto:pmwiki-users@pmichaud.com">pmwiki-users@pmichaud.com</a><br> > Message-ID: <giocng$pgv$<a href="mailto:1@ger.gmane.org">1@ger.gmane.org</a>><br> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br> ><br> ><br> > Hi all;<br> > I was reading the page Cookbook/SwitchToSSLMode.<br> > There, a complex solution is described in order to "only actions where<br> > passwords are likely to be passed are sent via SSL"<br> ><br> > However, "The example assumes there are not read-protected pages,<br> > since<br> > any 'read' passwords entered to view a page would be sent via a non-<br> > SSL<br> > connection"<br> ><br> > It sounds too restricted since (almost) every wiki has some<br> > read-protected pages and groups.<br> ><br> > I have implemented a very simple solution where only passwords are<br> > sent<br> > via SSL and the other posts are sent via http.<br> > In config.php:<br> ><br> > SDVA($InputTags['auth_form'], array(<br> > ':html' => "<form<br> > action='https://{$_SERVER['HTTP_HOST']}{$_SERVER<br> > ['REQUEST_URI']}'<br> > method='post'<br> > name='authform'>\$PostVars"));<br> ><br> > This way the action field of the auth-form sends all the information<br> > via https.<br> ><br> > My question: does this solution really work?<br> > (I think so, by I would like to be sure)<br> ><br> > Guillermo<br> ><br> ><br> ><br> ><br> > ------------------------------<br> ><br> > _______________________________________________<br> > pmwiki-users mailing list<br> > <a href="mailto:pmwiki-users@pmichaud.com">pmwiki-users@pmichaud.com</a><br> > <a href="http://www.pmichaud.com/mailman/listinfo/pmwiki-users" target="_blank">http://www.pmichaud.com/mailman/listinfo/pmwiki-users</a><br> ><br> ><br> > End of pmwiki-users Digest, Vol 42, Issue 19<br> > ********************************************<br> <br> <br> _______________________________________________<br> pmwiki-users mailing list<br> <a href="mailto:pmwiki-users@pmichaud.com">pmwiki-users@pmichaud.com</a><br> <a href="http://www.pmichaud.com/mailman/listinfo/pmwiki-users" target="_blank">http://www.pmichaud.com/mailman/listinfo/pmwiki-users</a><br> </blockquote></div><br></blockquote></div><br></body></html>