[pmwiki-users] Files rewritten at world-writable
Patrick R. Michaud
pmichaud at pobox.com
Mon Jul 18 11:29:20 CDT 2005
Normally one doesn't use setgid permissions (rws) if the directory
is in "nogroup". Usually we would make sure that the directory has
the same group as the account owner (i.e., the same group as
the parent), and then use setgid. This will ensure that all files
in wiki.d/ and uploads/ have the same group membership as the
account holder, and then PmWiki doesn't add any world permissions.
> nobody and nogroup being the user and group Apache runs under. I note
> the umask(002); in pmwiki.php. I remove all the world write
> permissions from the files in wiki.d and then edit a file via
> pmwiki. That file, and other files describing recent changes, are
> rewritten with world write permission again. Why? Where is it being
> set? The files don't need world write permission for pmwiki to work,
> surely?
No, the files don't need world write permission for PmWiki to work.
But given the configuration you have above one would need world
write permission in order for the account holder (the account that
installed PmWiki) to be able to remove/rename the files in wiki.d/ .
So, PmWiki adds the world write permissions in order to preserve
the account holder's ability to access those files. This ends up being
the right choice in most situations -- otherwise the account holder
needs special scripts available to do it for them.
If you change wiki.d/ and uploads/ to have the same group as
their parent directory, and add the setgid bit (2777)
won't put world write permissions on the directory
On Mon, Jul 18, 2005 at 04:22:46PM +0100, Daphne Tregear wrote:
> I have set up my pmwiki directory as per the instructions in
> PmWiki/FilePermissions:
>
> drwxrwsr-x 3 nobody nogroup 512 Jul 17 15:28 uploads
> drwxrwsr-x 2 nobody nogroup 1024 Jul 18 16:15 wiki.d
Normally one doesn't use setgid permissions (rws) if the directory
is in "nogroup". Usually we would make sure that the directory has
the same group as the account owner (i.e., the same group as
the parent), and then use setgid. This will ensure that all files
in wiki.d/ and uploads/ have the same group membership as the
account holder, and then PmWiki doesn't add any world permissions.
> nobody and nogroup being the user and group Apache runs under. I note
> the umask(002); in pmwiki.php. I remove all the world write
> permissions from the files in wiki.d and then edit a file via
> pmwiki. That file, and other files describing recent changes, are
> rewritten with world write permission again. Why? Where is it being
> set? The files don't need world write permission for pmwiki to work,
> surely?
No, the files don't need world write permission for PmWiki to work.
But given the configuration you have above one would need world
write permission in order for the account holder (the account that
installed PmWiki) to be able to remove/rename the files in wiki.d/ .
So, PmWiki adds the world write permissions in order to preserve
the account holder's ability to access those files. This ends up being
the right choice in most situations -- otherwise the account holder
needs special scripts available to do it for them.
If you change wiki.d/ and uploads/ to have the same group as
their parent directory, and add the setgid bit (2777), then
all files in the directories will have the same group as the
account holder, and PmWiki won't add world permissions at all.
Pm
More information about the pmwiki-users
mailing list