On Mon, Nov 3, 2008 at 9:27 AM, Otto <[EMAIL PROTECTED]> wrote: > On Mon, Nov 3, 2008 at 11:00 AM, Ryan Boren <[EMAIL PROTECTED]> wrote: >> We go through pains to make sure we're compatible with a secure site. >> Unlike other upgraders, it does not require that files be writable by >> the webserver. Nor does it change permissions via FTP so that files >> can be written by the webserver. > > These two statements are fundamentally at odds here. If the files are > not writable by the webserver, then they cannot be overwritten by a > copy operation.
That's why we use FTP for those cases. > In other words, if owner does not have +w, then it fails. Yes, if someone has inconsistent file permissions when using direct. >> We try to make sure direct is used only when files created by the webserver >> have the same owner as the WP files. > > In other words, upgrade core only uses direct in cases where you're > running suPHP (or similar method)? While this is many hosts, it's > certainly not *all* hosts. Indeed, that's why we use ftpext, ftpsockets, or ssh2 when the host doesn't provide suPHP. > And even then, it's generally not a good > idea to leave your files writable. True, the webserver is running as > the owner, so it can change permissions too, but many scripts don't do > that. And some popular plugins (notably WP-Super-Cache) actively warns > against it in those cases, as it complains that the files are writable > by the webserver. So we need to make sure we fallback to FTP when the server is suPHP but the user has removed owner write access for all files. _______________________________________________ wp-testers mailing list [email protected] http://lists.automattic.com/mailman/listinfo/wp-testers
