[pmwiki-users] Uploaded files world readable!?

Patrick R. Michaud pmichaud at pobox.com
Thu Dec 27 12:46:09 CST 2012


On Wed, Dec 26, 2012 at 08:21:56PM +0100, Oliver Betz wrote:
> Hello all,
> 
> upload.php uses "fixperms($filepath,0444);", therefore uploaded files
> get world read access, correct?
> Why is this needed?

Short answer: Fixperms only adds the minimum permissions necessary 
to ensure that the account owner has sufficient permission to access 
the file.

Longer answer:  Some PHP installations run programs under a 
special "nobody" or "apache" account, which means that any files
uploaded to the server are owned by that account and not the
account that installed PmWiki.  If permissions aren't fixed,
this means that the person who installed PmWiki is sometimes
unable to view or even remove uploaded files from their own
account.

The fixperms() function detects when this occurs and makes sure
that the account that installed PmWiki always retains appropriate
permissions to any files that are uploaded.  Sometimes the only
way to do this is by adding world read permissions.

If PHP is already running under the account of the PmWiki owner,
or if the default file permissions of uploaded files are such
that the owner will still be able to access the file, then fixperms()
doesn't do anything to the file.

> BTW: There is no "fixperms" for "Mini" thumbnails.

There probably should be, although PHP installations running under
"nobody" accounts are becoming far less common (and this is a
very good thing IMO).

Pm




More information about the pmwiki-users mailing list