[pmwiki-users] Security breach?

Radu Luchian radu at monicsoft.net
Tue Dec 23 15:49:16 CST 2008


Try the FileZilla FTP client.
http://filezilla-project.org/download.php

Cheers,
Radu

On Tue, Dec 23, 2008 at 2:24 AM, PKHG <p.k.h.gragert at misc.utwente.nl> wrote:

>  Hallo,
>
> Using an FTP-client for changing protection codes, I do not have the
> possibility to set the guid bit (I mean chmod 2777) ?!
>
> And (my) ftp direct does not have a chmod at all?
>
> So that 'trick' is not possible for everybody?
>
> Greetings
>
>           Peter
>
>
>
> *Van:* pmwiki-users-bounces at pmichaud.com [mailto:
> pmwiki-users-bounces at pmichaud.com] *Namens *James M
> *Verzonden:* dinsdag 23 december 2008 1:39
> *CC:* pmwiki-users at pmichaud.com
> *Onderwerp:* Re: [pmwiki-users] Security breach?
>
>
>
> On Mon, Dec 22, 2008 at 11:53 PM, DaveG <pmwiki at solidgone.com> wrote:
>
> Setting things to 755 is safer than 777. The question is, will that work
> on your site, with your host, with your version of PHP, with the setup
> of the webserver you have? I don't know. Easiest way to find out is
> after creating wiki.d and uploads, to set them to 755; if you can create
> or edit a wiki page through the normal way, then your done.
>
>
>
>
>
> As far as I understand, setting to 755 won't usually work (and doesn't on
> my system), unless the server has the same user id as the owner of the
> pmwiki directory: with 755 only the user (owner) has write permission. Pm's
> suggestion of using the setgid bit is a way round that.
>
> So it seems the correct steps are as follows:
>
>
>
> 1.  In the pmwiki directory, type
>
> chmod 2777 .
>
> (with the dot) - this makes the pmwiki completely open for the moment, but
> it has the added effect of using the setgid bit (that's what the 2 refers to
> in 2777)
>
>
>
> 2. Execute pmwiki.php through your browser.  This will create the wiki.d
> directory.
>
> (Suggestion: if you already have a wiki.d directory, rename it say to
> xwiki.d. create the wiki.d directory as above and then move all the files
> across - there's prbably a better way - but I don't know what it would be -
> I think you need the server to be the new owner)
>
>
>
> If you use uploads, then do an upload to create the new directory (perhaps
> this can be improved) (and use the same trick as before if you already have
> an uploads directory)
>
>
>
> 3. Still in the pmwiki directory, type
>
> chmod 755 .
>
> and that reverts the pmwiki directory to be as it was before you started.
>
>
>
>
>
> The upshot is that the wiki.d (and uploads) directory is now owned by the
> server - and the ownership is recorded as "apache" or "nobody" (it's
> "apache" on mine) or perhaps something else, but this magic setgid (set
> group id) makes sure the server is in the same group as you (the user), so
> you can administer the files too.
>
>
>
> Does that make sense?  (And is it correct? - I'm not a unix expert - just a
> long-time long-in-the-tooth user)
>
>
>
> James
>
>
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20081223/3aadb482/attachment.html 


More information about the pmwiki-users mailing list