On Sun, Apr 01, 2007 at 10:12:27AM -0400, Henrik wrote: > Patrick, > > I have attachment uploads set to use group subdirectories of an "uploads" > directory. The userid/groupid of upload subdirectories created by PHP > (PmWiki) before the upgrade are henrik/henrik (ie the userid/groupid of > the master account). The userid/groupid of directories created by PHP > after the upgrade are 99/99 identified in the phpinfo.php listing as > nobody(99)/nobody(99). > > I believe this constitutes proof, or at least evidence, that the > userid/groupid of PHP had changed, as you suggested.
Yes, it does. > I've asked the company to change the PHP userid/groupid back to the master > account values, as the change has also negatively effected other > applications. We'll see what they do. In practice this often turns out to be very difficult--it's generally not a simple configuration setting that an administrator can turn on or off. Usually it requires having somewhat special versions of PHP and/or Apache, or a fairly complex Apache virtual hosts configuration file, or using a setuid-root helper program to switch execution to a different userid (and that has its own set of security issues). I think that's one big reason why webhosting companies tend to stick with the default 'nobody' configuration -- it's too difficult to reliably sustain any other execution model across various PHP and Apache version upgrades. It's a pity, too, because having scripts execute as the account holder is more secure (and easier to deal with) in many contexts. Pm _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
