[pmwiki-users] Uploaded files world readable!?

Petko Yotov 5ko at 5ko.fr
Sun Dec 30 18:48:14 CST 2012 

Patrick R. Michaud writes:

> On Wed, Dec 26, 2012 at 08:21:56PM +0100, Oliver Betz wrote:
> > upload.php uses "fixperms($filepath,0444);", therefore uploaded files
> > get world read access, correct?
> > Why is this needed?
...
> The fixperms() function detects when this occurs and makes sure
> that the account that installed PmWiki always retains appropriate
> permissions to any files that are uploaded.  Sometimes the only
> way to do this is by adding world read permissions.

The second argument 0444 causes world read permissions always, not  
sometimes. No matter if the file owner and the directory owner are the same  
or in the same group or not.

I assume that on some installations, one can have the FTP account, the the  
PHP CGI/FastCGI process and the HTTP server all 3 different owners, and if  
the server doesn't have read permissions, visitors will see the error 403  
forbidden.

OTOH, I know some hosting providers where all FTP/SSH accounts are in the  
"users" group, and all files must have no permission for that group or there  
is an internal server error. The server process is not in the same group, so  
all files should have 0404 or O606 permissions. This allows both the SSH  
owner and the server to read or modify the files, but an SSH user cannot  
see or modify the files of another SSH user.

Patrick, do you think this second argument should be made modifiable by a  
wiki admin? And should it be 0444 by default or O?

The function fixperms() is only called with a second argument from  
upload.php. This second argument was added in version 2.0.devel27 (25- 
Nov-2004).

> > BTW: There is no "fixperms" for "Mini" thumbnails.

Both Thumblist and Mini don't use the fixperms() function for the  
thumbnails. Indeed, since 2006, nobody has told me there was a problem with  
permissions. But also, both recipes provide a way to remove the thumbnails  
from within the wiki with ?action=purgethumbs so probably nobody needed  
this, ever.

> There probably should be, although PHP installations running under
> "nobody" accounts are becoming far less common (and this is a
> very good thing IMO).

I'll add it, but without a second argument for now.

Petko

More information about the pmwiki-users mailing list