[pmwiki-users] pmwiki upload 'world write' always set

Paul Carew Paul.Carew at CloseReachCommunications.com
Wed Apr 25 18:24:38 CDT 2007


Hello Patrick,
Thanks for the reply. The files ends up being owned by 'apache'. We have 
added apache to the 'webadmin' group (the owner of the web directory tree 
that contains the pmwiki). We had to do this so that apache could 'write' 
the file in the first place.

I would be interested in your option for avoiding the world write.

Best Regards

--
Paul Carew
CEO
Close Reach Communications Inc
Tel: +1-512-576-3030
Fax: +1-973-201-1670
E:    Paul.Carew at CloseReachCommunications.com
----- Original Message ----- 
From: "Patrick R. Michaud" <pmichaud at pobox.com>
To: "Paul Carew" <Paul.Carew at CloseReachCommunications.com>
Cc: <pmwiki-users at pmichaud.com>
Sent: Wednesday, April 25, 2007 5:38 PM
Subject: Re: [pmwiki-users] pmwiki upload 'world write' always set


> On Wed, Apr 25, 2007 at 04:13:19PM -0500, Paul Carew wrote:
>>    Essentially we have file uploads working, but they all get 'World' 
>> Write'
>>    permission.
>>    I tried changing umask in pmwiki/pmwiki.php, but this didn't stop the
>>    problem.
>>    I tried setting a umask in Apache, which would affect the permission, 
>> but
>>    not the world write, it was still enabled
>>    PHP seems to have a umask set as 0
>>
>>    Every file that gets uploaded has a permission set of: -rw-r--rw-
>
> By default, PmWiki sets write permissions on files to guarantee that
> the account holder (i.e., the account that owns the directory
> containing wiki.d/ ) will continue to have write permissions to
> any file that PmWiki creates.
>
> In most environments, Apache runs PHP as a special "nobody" or
> "apache" user; thus any files that are created via a web script,
> including uploads, end up being owned by "nobody" or "apache".
> Normally this would mean that the real account holder (someone
> other than "nobody" or "apache") would be unable to remove the
> file or manipulate it.  Therefore, PmWiki checks the file ownerships
> and permissions and turns on the minimum permissions necessary
> to guarantee that the account holder continues to have the ability
> to delete the file.
>
> In many cases, the only way to do this is to turn on world write
> permissions.
>
> If you really want to avoid the world write permissions, I can provide
> an option for that, but in most cases it's really not significantly
> more secure, and it would mean that the account holder would be
> unable to easily remove uploaded files.
>
> Hope this helps,
>
> Pm 




More information about the pmwiki-users mailing list