Oliver Betz writes:
Where I use $EnableDirectDownload=0;, I don't need to add permissions for group or other.
Sure, in this case one can see those files on your http server (wiki) but if the FTP account is not the same as the PHP process, one may be unable to delete them.
And we also should think about _removing_ permissions, see below!
I'll work on this. Or more simply a way to "set" the permissions you need.
I found 0640 and 0664 permissions for Mini thumbs. The latter is nonsense IMNSHO
Mini thumbs are created with what are the default permissions for the PHP installation, Mini doesn't do anything to change permissions. But we'll make them have the same permissions as the uploaded files.
Files uploaded by PmWiki got 0664 in all three cases - fixperms adds unneeded group write (and read) permissions even if PHP runs under the customers account. If I understand correctly, other customers on the same server can therefore not only read files written by PmWiki but also write them if they can guess the file path.
No, the permissions PmWiki adds do not allow a file to be modified by another customer -- if such permissions exist, they are not added by PmWiki, but by the PHP configuration.
If other customers are in the "users" group, it might be possible to "read" your files, and even this is totally unacceptable.
Petko _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
