Thread:Extension talk:Widgets/potential security issue questions/reply

I'm not the extension author, so I'm basing this on other knowledge I have on how webservers work, etc.

From what I can tell, the reason to make this writable by everyone is because the webserver runs as a (presumably) different user than you who owns the files. Since the webserver (PHP specifically) needs to be able to write to that directory, you need to give that user write permissions. The easiest way to do this without assuming people have strong working knowledge of linux permissions is to simply make it writable by everyone. Is this the most secure way to do so? Absolutely not, but it certainly is the easiest to follow. Alternatives include running PHP as a CGI module (via fastcgi or similar) in apache so that the PHP gets executed as the user who owns the file, and thus you would not need to make it world-writable. Another alternative is to chown/chgrp (dunno if chgrp is a command or not, but it sounds like it should be) to the user php/apache is running as (probably www-data or nobody) so that you can set user/group permissions instead of world permissions.