seemingly my posting from yesterday wasn't distributed to the list (at least I got no copy), so I try again:
"Patrick R. Michaud" wrote: >> upload.php uses "fixperms($filepath,0444);", therefore uploaded files >> get world read access, correct? >> Why is this needed? > >Short answer: Fixperms only adds the minimum permissions necessary >to ensure that the account owner has sufficient permission to access >the file. > >Longer answer: Some PHP installations run programs under a >special "nobody" or "apache" account, which means that any files >uploaded to the server are owned by that account and not the >account that installed PmWiki. If permissions aren't fixed, >this means that the person who installed PmWiki is sometimes >unable to view or even remove uploaded files from their own >account. > >The fixperms() function detects when this occurs and makes sure >that the account that installed PmWiki always retains appropriate >permissions to any files that are uploaded. Sometimes the only >way to do this is by adding world read permissions. > >If PHP is already running under the account of the PmWiki owner, >or if the default file permissions of uploaded files are such >that the owner will still be able to access the file, then fixperms() >doesn't do anything to the file. this might be true in most cases, but upload.php calls fixperms with _additional_ (unconditional) 0444 permissions, so even if I'm running PmWiki in a "good" environment where Apache, PHP and the (S)FTP server all use the same user ID, the files get world read permissions. I think that is not the intention of fixperms, and as far as I see, it makes the files readable for all other customers on the same server. My original question is: Why is the additional/unconditional 0444 "$add" parameter present in upload.php? Oliver -- Oliver Betz, Muenchen (oliverbetz.de) _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
