On Wed, Mar 14, 2007 at 09:21:47PM -0700, Grant D. Watson wrote: > The individual files that are uploaded, > however, are owned by www-data, in the www-data group, > and world writable (unlike the directories)!
I think it's a problem with PHP's move_uploaded_file function. When the file is created by PHP, it receives certain ownerships and permissions based on the temporary directory in which it is stored, and the act of moving the file into the new directory (with setgid permissions) doesn't change the group ownership of the file. PmWiki then leaves the file as world-write so that the account owner still has the ability to modify the file. I think the solution to this may be to use something other than PHP's built-in move_uploaded_file() function to take care of moving the file into the upload directory. Then the newly created file would have the correct permissions. I'll look into it a bit further. You might also file a new PITS entry for this, if one doesn't already exist. http://www.pmwiki.org/wiki/PITS/NewIssue Thanks! Pm _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
