On Wed, Apr 25, 2007 at 04:13:19PM -0500, Paul Carew wrote: > Essentially we have file uploads working, but they all get 'World' Write' > permission. > I tried changing umask in pmwiki/pmwiki.php, but this didn't stop the > problem. > I tried setting a umask in Apache, which would affect the permission, but > not the world write, it was still enabled > PHP seems to have a umask set as 0 > > Every file that gets uploaded has a permission set of: -rw-r--rw-
By default, PmWiki sets write permissions on files to guarantee that the account holder (i.e., the account that owns the directory containing wiki.d/ ) will continue to have write permissions to any file that PmWiki creates. In most environments, Apache runs PHP as a special "nobody" or "apache" user; thus any files that are created via a web script, including uploads, end up being owned by "nobody" or "apache". Normally this would mean that the real account holder (someone other than "nobody" or "apache") would be unable to remove the file or manipulate it. Therefore, PmWiki checks the file ownerships and permissions and turns on the minimum permissions necessary to guarantee that the account holder continues to have the ability to delete the file. In many cases, the only way to do this is to turn on world write permissions. If you really want to avoid the world write permissions, I can provide an option for that, but in most cases it's really not significantly more secure, and it would mean that the account holder would be unable to easily remove uploaded files. Hope this helps, Pm _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
