[pmwiki-users] Security breach?

adam overton a at plus1plus1plus.org
Mon Dec 22 17:37:28 CST 2008


hi rogut
thanks for the email, but since i'm not a trained web-admin, that  
page you sent is simply mystifying, and doesn't seem to say anything  
about changing permissions of folders to 775 as Dave suggested.
if pmwiki is so open to multiple levels of users, and what you say is  
true, wouldn't the pmwiki documentation somewhere simply say:

	step 1: change permissions to 777
	step 2: create your directories
	step 3: change your permissions back to ___

?
i don't see anything anywhere on the site that says this in layman's  
language. everything else is so clear and straight-forward, but this  
huge security issue doesn't say anywhere what to set. and, as stated  
in the safe-mode section, if i recall correctly i had to change those  
two directories, uploads and wiki.d, to 777 in order to be able to  
write into them.

so, following what the pmwiki website seems to say, i've bascially  
got everything set to 755 except uploads and wiki.d which are set to  
777. if this is not right, can someone (preferably patrick) put  
directly in layman's terms what should be the correct settings? i  
really don't want to make a drastic move dealing with security  
without seeing something in print on the site that says "everything  
is going to just fine if ___", know what i mean?

thx again!
adam


>
> Message: 3
> Date: Tue, 23 Dec 2008 00:13:30 +0200
> From: Rogut?s <rogutes at googlemail.com>
> Subject: Re: [pmwiki-users] Security breach?
> To: pmwiki-users at pmichaud.com
> Message-ID: <20081222221330.GA7454 at ugu.dokeda.lt>
> Content-Type: text/plain; charset=utf-8
>
> adam overton (2008-12-22 13:00):
>>
>> hi, is this true?
>>
>>> Either way, don't set
>>> anything to 777.
>>
>>
>> b/c the installation instructions for pmwiki (http://pmwiki.org/wiki/
>> PmWiki/Installation) say setting uploads and wiki.d to 777. should
>> they be 775 instead? just wondering if there's any consensus on this
>> before i go start twiddling, changing permissions...
>>
>> thx
>> adam
>
>
> When starting with a clean PmWiki installation and navigating to
> pmwiki.php, one is greeted with this rather familiar error message:
> "PmWiki needs to have a writable $dir/ directory before it can  
> continue."
> and an explanation how to set appropriate permissions for wiki.d/. Two
> suggestions are provided by Pm:
> 1. Chmod wiki.d to 777.
> 2. Chmod wiki.d to 2777 (use the setguid bit), reload and chmod it to
>    whatever it was before.
>
> The second option is said to lead to "a slightly more secure
> installation", but it is only displayed (and usable) if PHP  
> safemode is
> turned off.
>
> Refer to pmwiki.org for explanations:
> http://pmwiki.org/wiki/PmWiki/FilePermissions
>
> Anyway, this kind of security (hiding of world writable directories to
> other users) should be provided by the ones selling shared hosting
> services.
>
>
> --  Rogut?s
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20081222/b0170154/attachment.html 


More information about the pmwiki-users mailing list