[Bug 73206] New: File upload area resorts to 0777 permissions to for uploaded conent

Sun, 09 Nov 2014 10:22:37 -0800 

https://bugzilla.wikimedia.org/show_bug.cgi?id=73206

            Bug ID: 73206
           Summary: File upload area resorts to 0777 permissions to for
                    uploaded conent
           Product: Wikimedia Labs
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: Unprioritized
         Component: deployment-prep (beta)
          Assignee: [email protected]
          Reporter: [email protected]
                CC: [email protected], [email protected],
                    [email protected], [email protected],
                    [email protected], [email protected],
                    [email protected]
       Web browser: ---
   Mobile Platform: ---

(Bryan Davis from <https://bugzilla.wikimedia.org/show_bug.cgi?id=73102#c3>)
> Ran `chmod -R =rwX /data/project/upload7` to fix all file permissions.

(Marc A. Pelletier from
<https://bugzilla.wikimedia.org/show_bug.cgi?id=73102#c4>)
> Be aware that doing so has given write permission to any authenticated user.
> This may not be a catastrophe in practice, but it has security impact.

(Bryan Davis from <https://bugzilla.wikimedia.org/show_bug.cgi?id=73102#c5>)
> (In reply to Marc A. Pelletier from comment #4)
> > Be aware that doing so has given write permission to any authenticated user.
> > This may not be a catastrophe in practice, but it has security impact.
> 
> This has been the fix for this particular issue as long as I've been helping
> in beta. I agree that chmod 0777 is a lame solution, but the uid/gid
> mismatches and NFS4 acls are a bit of a blocker to proper management of the
> shared file permissions.

(Marc A. Pelletier from
<https://bugzilla.wikimedia.org/show_bug.cgi?id=73102#c6>)
> NFSv4 doesn't actually require UID concordance so long as the user /name/
> exists on the NFS server do that it doesn't fall back to numerical IDs - the
> proper solution to this is to make certain that any user or group that owns
> files in the shared filesystem exist on the NFS servers.
> 
> In the general Labs case, this is done through LDAP - but users and groups
> coming from Debian packages need to either be added (before installation) to
> LDAP or added to the NFS servers.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to