Page 1 of 1
created file permissions
Posted: Thu Sep 28, 2006 11:41 pm
by planigan
We really need a way to specify the permissions of files that s9y creates. So far, when s9y creates a file on my server, it gets set rw-rw-rw- ... ie, world readable and writable! This is not good in shared hosting environments!
Posted: Fri Sep 29, 2006 4:38 am
by judebert
Serendipity doesn't usually create files, except in templates_c/ -- and when SPARTACUS downloads a plugin. The SPARTACUS plugin has a configuration option for both user and permissions.
Am I missing something? Are you getting other files created by Serendipity?
Posted: Fri Sep 29, 2006 4:56 am
by planigan
If .htaccess does not exist when you change the URL rewriting options, s9y attempts to create it. If / when it creates the file, it creates it with world readable file permissions.
Before setting URL rewrite options...
Code: Select all
pat@freestd ~/domains/patricklanigan.org/public_html $ ls -l .htaccess
ls: .htaccess: No such file or directory
After setting URL rewrite options...
Code: Select all
pat@freestd ~/domains/patricklanigan.org/public_html $ ls -l .htaccess
-rw-rw-rw- 1 apache apache 1866 Sep 28 22:52 .htaccess
Of course, if you create your own .htaccess file and set the permissions yourself this doesn't matter.
Posted: Fri Sep 29, 2006 4:31 pm
by judebert
Ah. In that particular case, Serendipity has little control over the permissions. That depends on the umask on the server.
I'll check the code anyway and see if I can figure out a way to change it; the .htaccess definitely shouldn't be world-writeable!
Posted: Tue Oct 03, 2006 3:38 am
by planigan
I found another case... the media library creates thumbnails with "apache:apache rw-rw-rw-" permissions as well. I understand that s9y probably just creates the file with whatever default permissions our system uses, but those of us in shared hosting environments have little control over the default umask.
Immediately after creating the file, s9y should call PHP's chmod function to set the file permissions correctly. This could be wrapped in an API function, which could also take into account a global setting that allows users to specify the permissions for created files (G2 does somthing similar). All plugin writers should be encouraged to use this API in order to provide uniform file behavior.
Posted: Tue Oct 03, 2006 3:17 pm
by judebert
I think this is a good idea, and I'll look into it.
We will, however, get some grief from misconfigured servers. We've already found that safe_mode can interfere with SPARTACUS, for instance. So if the umask is set to create world-writeable files, and safe_mode is on, we won't be able to change the permissions. Then the users will get mad at us. Again.
But it's still the best thing to do, in my opinion.
Posted: Tue Oct 03, 2006 6:02 pm
by garvinhicking
Hi!
I'd vote for an approach like Spartacus; make the chmod/chown optional. Users who then enable that will need to take care that their server supports it...?
Regards,
Garvin