[pmwiki-users] Permissions puzzle
Patrick R. Michaud
pmichaud at pobox.com
Sun Apr 1 09:56:47 CDT 2007
On Sun, Apr 01, 2007 at 10:12:27AM -0400, Henrik wrote:
> Patrick,
>
> I have attachment uploads set to use group subdirectories of an "uploads"
> directory. The userid/groupid of upload subdirectories created by PHP
> (PmWiki) before the upgrade are henrik/henrik (ie the userid/groupid of
> the master account). The userid/groupid of directories created by PHP
> after the upgrade are 99/99 identified in the phpinfo.php listing as
> nobody(99)/nobody(99).
>
> I believe this constitutes proof, or at least evidence, that the
> userid/groupid of PHP had changed, as you suggested.
Yes, it does.
> I've asked the company to change the PHP userid/groupid back to the master
> account values, as the change has also negatively effected other
> applications. We'll see what they do.
In practice this often turns out to be very difficult--it's generally
not a simple configuration setting that an administrator can turn on
or off. Usually it requires having somewhat special versions of PHP
and/or Apache, or a fairly complex Apache virtual hosts configuration file,
or using a setuid-root helper program to switch execution to a different
userid (and that has its own set of security issues).
I think that's one big reason why webhosting companies tend to stick
with the default 'nobody' configuration -- it's too difficult to reliably
sustain any other execution model across various PHP and Apache version
upgrades. It's a pity, too, because having scripts execute as the
account holder is more secure (and easier to deal with) in many contexts.
Pm
More information about the pmwiki-users
mailing list