[pmwiki-users] Uploaded files world readable!?
5ko at 5ko.fr
Mon Dec 31 10:55:31 CST 2012
Oliver Betz writes:
> Where I use $EnableDirectDownload=0;, I don't need to add permissions
> for group or other.
Sure, in this case one can see those files on your http server (wiki) but if
the FTP account is not the same as the PHP process, one may be unable to
> And we also should think about _removing_ permissions, see below!
I'll work on this. Or more simply a way to "set" the permissions you need.
> I found 0640 and 0664 permissions for Mini thumbs. The latter is
> nonsense IMNSHO
Mini thumbs are created with what are the default permissions for the PHP
installation, Mini doesn't do anything to change permissions. But we'll make
them have the same permissions as the uploaded files.
> Files uploaded by PmWiki got 0664 in all three cases - fixperms adds
> unneeded group write (and read) permissions even if PHP runs under the
> customers account.
> If I understand correctly, other customers on the same server can
> therefore not only read files written by PmWiki but also write them if
> they can guess the file path.
No, the permissions PmWiki adds do not allow a file to be modified by
another customer -- if such permissions exist, they are not added by PmWiki,
but by the PHP configuration.
If other customers are in the "users" group, it might be possible to "read"
your files, and even this is totally unacceptable.
More information about the pmwiki-users