[pmwiki-users] Uploaded files world readable!?

Oliver Betz list_ob at gmx.net
Mon Dec 31 11:39:06 CST 2012


Petko Yotov wrote:

[...]

>> I found 0640 and 0664 permissions for Mini thumbs. The latter is
>> nonsense IMNSHO
>
>Mini thumbs are created with what are the default permissions for the PHP  
>installation, Mini doesn't do anything to change permissions. But we'll make  

just to avoid misunderstandings: I mentioned the Mini thumbs just to
demonstrate the defaults of files written by PHP, I didn't want to say
that Mini sets nonsense permissions.

>them have the same permissions as the uploaded files.
>
>> Files uploaded by PmWiki got 0664 in all three cases - fixperms adds
>> unneeded group write (and read) permissions even if PHP runs under the
>> customers account.

I got this wrong. Permissions are only added "if
(fileowner($fname)!=@fileowner('.'))".

>> If I understand correctly, other customers on the same server can
>> therefore not only read files written by PmWiki but also write them if
>> they can guess the file path.
>
>No, the permissions PmWiki adds do not allow a file to be modified by  
>another customer -- if such permissions exist, they are not added by PmWiki,  
>but by the PHP configuration.
>
>If other customers are in the "users" group, it might be possible to "read"  
>your files, and even this is totally unacceptable.

Right, but for files to be accessed directly by Apache, it's
unavoidable in many hosting environments.

Maybe it's an interesting option for the Site Analyzer to check the
permissions set by default and needed for PHP and web server.

Oliver
-- 
Oliver Betz, Muenchen (oliverbetz.de)




More information about the pmwiki-users mailing list