potential security issue questions

Jump to: navigation, search

I'm not the extension author, so I'm basing this on other knowledge I have on how webservers work, etc.

From what I can tell, the reason to make this writable by everyone is because the webserver runs as a (presumably) different user than you who owns the files. Since the webserver (PHP specifically) needs to be able to write to that directory, you need to give that user write permissions. The easiest way to do this without assuming people have strong working knowledge of linux permissions is to simply make it writable by everyone. Is this the most secure way to do so? Absolutely not, but it certainly is the easiest to follow. Alternatives include running PHP as a CGI module (via fastcgi or similar) in apache so that the PHP gets executed as the user who owns the file, and thus you would not need to make it world-writable. Another alternative is to chown/chgrp (dunno if chgrp is a command or not, but it sounds like it should be) to the user php/apache is running as (probably www-data or nobody) so that you can set user/group permissions instead of world permissions.

Skizzerz07:30, 5 April 2011

That's kind of what I was thinking, anyway, it works fine, Thanks for the quick reply

Gobrien16:41, 5 April 2011
 
Retrieved from "http://www.mediawiki.org/wiki/Thread:Extension_talk:Widgets/potential_security_issue_questions/reply#potential_security_issue_questions_3298"
Personal tools

Variants
Actions
Navigation
Support
Download
Development
Communication
Toolbox