[pmwiki-users] Permissions puzzle

Patrick R. Michaud pmichaud at pobox.com
Sun Apr 1 09:56:47 CDT 2007


On Sun, Apr 01, 2007 at 10:12:27AM -0400, Henrik wrote:
>    Patrick,
> 
>    I have attachment uploads set to use group subdirectories of an "uploads"
>    directory. The userid/groupid of upload subdirectories created by PHP
>    (PmWiki) before the upgrade are henrik/henrik (ie the userid/groupid of
>    the master account). The userid/groupid of directories created by PHP
>    after the upgrade are 99/99 identified in the phpinfo.php listing as
>    nobody(99)/nobody(99).
> 
>    I believe this constitutes proof, or at least evidence, that the
>    userid/groupid of PHP had changed, as you suggested.

Yes, it does.

>    I've asked the company to change the PHP userid/groupid back to the master
>    account values, as the change has also negatively effected other
>    applications. We'll see what they do.

In practice this often turns out to be very difficult--it's generally
not a simple configuration setting that an administrator can turn on
or off.  Usually it requires having somewhat special versions of PHP 
and/or Apache, or a fairly complex Apache virtual hosts configuration file,
or using a setuid-root helper program to switch execution to a different 
userid (and that has its own set of security issues).

I think that's one big reason why webhosting companies tend to stick
with the default 'nobody' configuration -- it's too difficult to reliably
sustain any other execution model across various PHP and Apache version
upgrades.  It's a pity, too, because having scripts execute as the
account holder is more secure (and easier to deal with) in many contexts.

Pm




More information about the pmwiki-users mailing list