[pmwiki-users] Uploaded files world readable!?

Petko Yotov 5ko at 5ko.fr
Mon Dec 31 10:55:31 CST 2012


Oliver Betz writes:
> Where I use $EnableDirectDownload=0;, I don't need to add permissions
> for group or other.

Sure, in this case one can see those files on your http server (wiki) but if  
the FTP account is not the same as the PHP process, one may be unable to  
delete them.

> And we also should think about _removing_ permissions, see below!

I'll work on this. Or more simply a way to "set" the permissions you need.

> I found 0640 and 0664 permissions for Mini thumbs. The latter is
> nonsense IMNSHO

Mini thumbs are created with what are the default permissions for the PHP  
installation, Mini doesn't do anything to change permissions. But we'll make  
them have the same permissions as the uploaded files.

> Files uploaded by PmWiki got 0664 in all three cases - fixperms adds
> unneeded group write (and read) permissions even if PHP runs under the
> customers account.
> If I understand correctly, other customers on the same server can
> therefore not only read files written by PmWiki but also write them if
> they can guess the file path.

No, the permissions PmWiki adds do not allow a file to be modified by  
another customer -- if such permissions exist, they are not added by PmWiki,  
but by the PHP configuration.

If other customers are in the "users" group, it might be possible to "read"  
your files, and even this is totally unacceptable.

Petko



More information about the pmwiki-users mailing list