[pmwiki-users] Security breach?

PKHG p.k.h.gragert at misc.utwente.nl
Tue Dec 23 03:24:02 CST 2008


Using an FTP-client for changing protection codes, I do not have the
possibility to set the guid bit (I mean chmod 2777) ?!

And (my) ftp direct does not have a chmod at all?

So that 'trick' is not possible for everybody?




Van: pmwiki-users-bounces at pmichaud.com
[mailto:pmwiki-users-bounces at pmichaud.com] Namens James M
Verzonden: dinsdag 23 december 2008 1:39
CC: pmwiki-users at pmichaud.com
Onderwerp: Re: [pmwiki-users] Security breach?


On Mon, Dec 22, 2008 at 11:53 PM, DaveG <pmwiki at solidgone.com> wrote:

Setting things to 755 is safer than 777. The question is, will that work
on your site, with your host, with your version of PHP, with the setup
of the webserver you have? I don't know. Easiest way to find out is
after creating wiki.d and uploads, to set them to 755; if you can create
or edit a wiki page through the normal way, then your done.



As far as I understand, setting to 755 won't usually work (and doesn't on my
system), unless the server has the same user id as the owner of the pmwiki
directory: with 755 only the user (owner) has write permission. Pm's
suggestion of using the setgid bit is a way round that.  

So it seems the correct steps are as follows:


1.  In the pmwiki directory, type

chmod 2777 .

(with the dot) - this makes the pmwiki completely open for the moment, but
it has the added effect of using the setgid bit (that's what the 2 refers to
in 2777)


2. Execute pmwiki.php through your browser.  This will create the wiki.d

(Suggestion: if you already have a wiki.d directory, rename it say to
xwiki.d. create the wiki.d directory as above and then move all the files
across - there's prbably a better way - but I don't know what it would be -
I think you need the server to be the new owner)


If you use uploads, then do an upload to create the new directory (perhaps
this can be improved) (and use the same trick as before if you already have
an uploads directory)


3. Still in the pmwiki directory, type

chmod 755 .

and that reverts the pmwiki directory to be as it was before you started. 



The upshot is that the wiki.d (and uploads) directory is now owned by the
server - and the ownership is recorded as "apache" or "nobody" (it's
"apache" on mine) or perhaps something else, but this magic setgid (set
group id) makes sure the server is in the same group as you (the user), so
you can administer the files too. 


Does that make sense?  (And is it correct? - I'm not a unix expert - just a
long-time long-in-the-tooth user)




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20081223/25a38fd5/attachment.html 

More information about the pmwiki-users mailing list