[pmwiki-users] Security breach?

Rogutės rogutes at googlemail.com
Mon Dec 22 19:58:46 CST 2008


James M (2008-12-23 00:38):
> On Mon, Dec 22, 2008 at 11:53 PM, DaveG <pmwiki at solidgone.com> wrote:
> 
> > Setting things to 755 is safer than 777. The question is, will that work
> > on your site, with your host, with your version of PHP, with the setup
> > of the webserver you have? I don't know. Easiest way to find out is
> > after creating wiki.d and uploads, to set them to 755; if you can create
> > or edit a wiki page through the normal way, then your done.
> >
> 
> 
> As far as I understand, setting to 755 won't usually work (and doesn't on my
> system), unless the server has the same user id as the owner of the pmwiki
> directory: with 755 only the user (owner) has write permission. Pm's
> suggestion of using the setgid bit is a way round that.
> 
> So it seems the correct steps are as follows:
> 
> 1.  In the pmwiki directory, type
> chmod 2777 .
> (with the dot) - this makes the pmwiki completely open for the moment, but
> it has the added effect of using the setgid bit (that's what the 2 refers to
> in 2777)
> 
> 2. Execute pmwiki.php through your browser.  This will create the wiki.d
> directory.
> (Suggestion: if you already have a wiki.d directory, rename it say to
> xwiki.d. create the wiki.d directory as above and then move all the files
> across - there's prbably a better way - but I don't know what it would be -
> I think you need the server to be the new owner)
> 
> If you use uploads, then do an upload to create the new directory (perhaps
> this can be improved) (and use the same trick as before if you already have
> an uploads directory)
> 
> 3. Still in the pmwiki directory, type
> chmod 755 .
> and that reverts the pmwiki directory to be as it was before you started.
> 
> 
> The upshot is that the wiki.d (and uploads) directory is now owned by the
> server - and the ownership is recorded as "apache" or "nobody" (it's
> "apache" on mine) or perhaps something else, but this magic setgid (set
> group id) makes sure the server is in the same group as you (the user), so
> you can administer the files too.
> 
> Does that make sense?  (And is it correct? - I'm not a unix expert - just a
> long-time long-in-the-tooth user)
> 
> James

Yes, what you said makes sense.

But...
(1) If wiki.d/ is world writable (777), everyone can read/write files in
   wiki.d/
(2) if wiki.d/ is created the way you described (which is slightly more
   secure), the owner of the php process and the users in the group of
   pmwiki/ directory can read/write files in wiki.d/

This would mean that other users could get full access to your wiki.d/
files by these means:
* FTP and similar programs in case of (1), and, if they are in the same
  group as you are, in case of (2)
* custom .php scripts in case of (1) and (2)

But they wouldn't get access if they wouldn't know the file hierarchy,
if the owner of the php process would be you, if clever ACLs would be
set up on the server, etc.

So here we are again: if you're on shared hosting and your service
provider isn't taking the required measures to protect your data, you
can't do much (besides obfuscating things in your home directory). If
your service provider is taking security seriously, you should be safe
with 777 permissions on wiki.d/ and safer, if you would set up uploads/
and wiki.d/ directories the way James described.


-- Rogutės



More information about the pmwiki-users mailing list