[pmwiki-users] Setgid on Uploads

Patrick R. Michaud pmichaud at pobox.com
Sat Mar 17 16:05:17 CDT 2007

On Wed, Mar 14, 2007 at 09:21:47PM -0700, Grant D. Watson wrote:
> The individual files that are uploaded,
> however, are owned by www-data, in the www-data group,
> and world writable (unlike the directories)!

I think it's a problem with PHP's move_uploaded_file function.
When the file is created by PHP, it receives certain ownerships
and permissions based on the temporary directory in which it is
stored, and the act of moving the file into the new directory
(with setgid permissions) doesn't change the group ownership
of the file.

PmWiki then leaves the file as world-write so that the account
owner still has the ability to modify the file.

I think the solution to this may be to use something
other than PHP's built-in move_uploaded_file() function
to take care of moving the file into the upload directory.
Then the newly created file would have the correct permissions.

I'll look into it a bit further.  You might also file a new
PITS entry for this, if one doesn't already exist.




More information about the pmwiki-users mailing list