[pmwiki-users] Security breach?

James M jamesm1415 at googlemail.com
Tue Dec 23 08:06:52 CST 2008 

In fact I'm in the same situation as Peter on one of my wikis (the one that
was compromised in the first place).  On the commercial webhost I use the
only interaction is using cpanel.   I can set permissions but ony the basic
ones, not using setgid. I'm going to discuss this with them, as well as
Rogutes' points above.

(Also with cpanel you can't see the date last modified nor the group and
user who own the file/directory - my host agrees it's not good enough, and
they're going to discuss it with the cpanel makers! If they do, that's what
I call service! I don't think you'd get that from 1&1.)

Do any hosts offer better?  At work (University of Manchester), I can
connect using ssh, and can give full unix line commands.

James

ps It would be useful to keep a list of pmwiki-friendly hosts on the pmwiki
site, with the pros and cons of each.  As and when users encounter them - it
wouldn't need to be systematic.

pps Luigi's right - I think you should be able to chmod with ftp clients -
see here for example
http://www.phpjunkyard.com/ftp-chmod-tutorial.php


On Tue, Dec 23, 2008 at 9:24 AM, PKHG <p.k.h.gragert at misc.utwente.nl> wrote:

>  Hallo,
>
> Using an FTP-client for changing protection codes, I do not have the
> possibility to set the guid bit (I mean chmod 2777) ?!
>
> And (my) ftp direct does not have a chmod at all?
>
> So that 'trick' is not possible for everybody?
>
> Greetings
>
>           Peter
>
>
>
> *Van:* pmwiki-users-bounces at pmichaud.com [mailto:
> pmwiki-users-bounces at pmichaud.com] *Namens *James M
> *Verzonden:* dinsdag 23 december 2008 1:39
> *CC:* pmwiki-users at pmichaud.com
> *Onderwerp:* Re: [pmwiki-users] Security breach?
>
>
>
> On Mon, Dec 22, 2008 at 11:53 PM, DaveG <pmwiki at solidgone.com> wrote:
>
> Setting things to 755 is safer than 777. The question is, will that work
> on your site, with your host, with your version of PHP, with the setup
> of the webserver you have? I don't know. Easiest way to find out is
> after creating wiki.d and uploads, to set them to 755; if you can create
> or edit a wiki page through the normal way, then your done.
>
>
>
>
>
> As far as I understand, setting to 755 won't usually work (and doesn't on
> my system), unless the server has the same user id as the owner of the
> pmwiki directory: with 755 only the user (owner) has write permission. Pm's
> suggestion of using the setgid bit is a way round that.
>
> So it seems the correct steps are as follows:
>
>
>
> 1.  In the pmwiki directory, type
>
> chmod 2777 .
>
> (with the dot) - this makes the pmwiki completely open for the moment, but
> it has the added effect of using the setgid bit (that's what the 2 refers to
> in 2777)
>
>
>
> 2. Execute pmwiki.php through your browser.  This will create the wiki.d
> directory.
>
> (Suggestion: if you already have a wiki.d directory, rename it say to
> xwiki.d. create the wiki.d directory as above and then move all the files
> across - there's prbably a better way - but I don't know what it would be -
> I think you need the server to be the new owner)
>
>
>
> If you use uploads, then do an upload to create the new directory (perhaps
> this can be improved) (and use the same trick as before if you already have
> an uploads directory)
>
>
>
> 3. Still in the pmwiki directory, type
>
> chmod 755 .
>
> and that reverts the pmwiki directory to be as it was before you started.
>
>
>
>
>
> The upshot is that the wiki.d (and uploads) directory is now owned by the
> server - and the ownership is recorded as "apache" or "nobody" (it's
> "apache" on mine) or perhaps something else, but this magic setgid (set
> group id) makes sure the server is in the same group as you (the user), so
> you can administer the files too.
>
>
>
> Does that make sense?  (And is it correct? - I'm not a unix expert - just a
> long-time long-in-the-tooth user)
>
>
>
> James
>
>
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20081223/827f44f2/attachment-0001.html

More information about the pmwiki-users mailing list