[pmwiki-users] pmwiki upload 'world write' always set

Patrick R. Michaud pmichaud at pobox.com
Wed Apr 25 17:38:44 CDT 2007


On Wed, Apr 25, 2007 at 04:13:19PM -0500, Paul Carew wrote:
>    Essentially we have file uploads working, but they all get 'World' Write'
>    permission.
>    I tried changing umask in pmwiki/pmwiki.php, but this didn't stop the
>    problem.
>    I tried setting a umask in Apache, which would affect the permission, but
>    not the world write, it was still enabled
>    PHP seems to have a umask set as 0
>     
>    Every file that gets uploaded has a permission set of: -rw-r--rw-

By default, PmWiki sets write permissions on files to guarantee that
the account holder (i.e., the account that owns the directory
containing wiki.d/ ) will continue to have write permissions to
any file that PmWiki creates.

In most environments, Apache runs PHP as a special "nobody" or
"apache" user; thus any files that are created via a web script,
including uploads, end up being owned by "nobody" or "apache".
Normally this would mean that the real account holder (someone
other than "nobody" or "apache") would be unable to remove the
file or manipulate it.  Therefore, PmWiki checks the file ownerships
and permissions and turns on the minimum permissions necessary
to guarantee that the account holder continues to have the ability
to delete the file.

In many cases, the only way to do this is to turn on world write
permissions.

If you really want to avoid the world write permissions, I can provide
an option for that, but in most cases it's really not significantly
more secure, and it would mean that the account holder would be
unable to easily remove uploaded files.

Hope this helps,

Pm



More information about the pmwiki-users mailing list