[wp-testers] 664 - 404
Kimmo Suominen
kim at tac.nyc.ny.us
Sat Apr 2 18:06:13 GMT 2005
Without root access on the server, it is often not possible to change
the ownership of the file, and many times not even the group. (Just
think how convenient it would be to change some large files to another
owner so your used quota goes down.) This leaves mode 666 as the only
option on systems using mod_php (or other methods where PHP code runs
with the UID of the web server).
Using su-exec and fast-cgi to run PHP code as the owner of the website
is a great approach. Files can be mode 600 and the apps can write them,
leaving them protected from everyone else. The downside to that is that
the PHP code could also write other files owned by the user, such as
$HOME/.ssh/authorized_keys and compromise the account. (With mod_php
the webserver UID usually has other restrictions that would protect it
against such compromise, e.g. an invalid shell.)
Regards,
+ Kim
--
<A HREF="http://kimmo.suominen.com/">Kimmo Suominen</A>
On Sat, Apr 02, 2005 at 12:38:21PM -0500, Aaron Brazell wrote:
> I would agree with this adding a mionor bit that yes, WP cannot write to it
> if it is any less than 666, but WP not writing to it means no one else
> outside the group or the owner can write to it either. I'm actually a little
> alarmed, and have been, that WP encourages .htaccess to be 666 so it can
> write to it. It's handy for WP but a major security issue as well.
>
>
>
> Aaron Brazell____________
>
> Editor, Technosailor.com
>
> <http://www.technosailor.com> http://www.technosailor.com
>
>
>
> _____
>
> From: wp-testers-bounces at lists.automattic.com
> [mailto:wp-testers-bounces at lists.automattic.com] On Behalf Of Robert Deaton
> Sent: Saturday, April 02, 2005 11:22 AM
> To: wp-testers at lists.automattic.com
> Subject: Re: [wp-testers] 664 - 404
>
>
>
> Server config wouldn't have much to do with it, but chowning the file would.
> If your .htaccess isn't chowned to the same user or group as the webserver,
> then 664 isn't enough, because only the user and group that own the file
> would be able to write to it. Its always safer to give only the minimum
> permissions necessary, so a lot of people note that its best to put it as
> 664.
>
> On Apr 2, 2005 9:58 AM, Gregory Wild-Smith <greg at twilightuniverse.com>
> wrote:
>
> Mine is 644, and wp handles that fine.
>
> Some servers handle permissions differently though, so my guess is for
> your server you need 666 *shrugs* one of those wierd server config
> issues I would guess.
>
> Podz wrote:
>
> > If my .htaccess is 664, wp will not (cannot ?) write to it, so pages 404.
> > If I change it to 666, all is good.
> >
> > Noting it because I have seen in a couple of places that 664 or less
> > is better for .htaccess ?
> >
> >------------------------------------------------------------------------
> >
> >_______________________________________________
> >wp-testers mailing list
> >wp-testers at lists.automattic.com
> >http://lists.automattic.com/mailman/listinfo/wp-testers
> >
> >
>
> _______________________________________________
> wp-testers mailing list
> wp-testers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-testers
>
>
>
>
> --
> --Robert Deaton
> http://anothersadsong.com
>
> _______________________________________________
> wp-testers mailing list
> wp-testers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-testers
More information about the wp-testers
mailing list