[pmwiki-users] Uploaded files world readable!?

Oliver Betz list_ob at gmx.net
Sat Dec 29 07:59:18 CST 2012


posting through gmane seemingly doesn't work, so I send a third reply 
via mail. Apologies if the other two mails arrive later.

Patrick R. Michaud wrote:

> > upload.php uses "fixperms($filepath,0444);", therefore uploaded files
> > get world read access, correct?
> > Why is this needed?
> 
> Short answer: Fixperms only adds the minimum permissions necessary 
> to ensure that the account owner has sufficient permission to access 
> the file.
> 
> Longer answer:  Some PHP installations run programs under a 
> special "nobody" or "apache" account, which means that any files
> uploaded to the server are owned by that account and not the
> account that installed PmWiki.  If permissions aren't fixed,
> this means that the person who installed PmWiki is sometimes
> unable to view or even remove uploaded files from their own
> account.
> 
> The fixperms() function detects when this occurs and makes sure
> that the account that installed PmWiki always retains appropriate
> permissions to any files that are uploaded.  Sometimes the only
> way to do this is by adding world read permissions.
> 
> If PHP is already running under the account of the PmWiki owner,
> or if the default file permissions of uploaded files are such
> that the owner will still be able to access the file, then fixperms()
> doesn't do anything to the file.

that's correct for fixterms called with only one parameter, but 
upload.php calls fixperms with additional (unconditional) 0444 
permissions, therefore uploaded files are always world readable 
regardless of the description above.

A check with three hosting services I have access to showed that 
additional permissions are needed for installations where the web 
server account is not even in the same group as PHP, although PHP 
runs under the customer account as the shell or the (S)FTP server.

The downside is that other customers on the same server can access 
uploaded files (if they know / guess the file path).

Oliver



More information about the pmwiki-users mailing list