[wp-testers] 664 - 404

Aaron Brazell aaron at technosailor.com
Sat Apr 2 18:23:05 GMT 2005


You are right, of course, but I think possibly overcomplicating this.

WordPress does not need .htaccess to be 666 to run. It needs it to be 666 so
the WP software can write rewrite rules. However, if the .htaccess was 664
or 644, WP will tell you, "I could write to this if you allowed me to but
since you don't then put all this crap in your .htaccess file". At this
point, the user can manually copy and paste the WP-generated rewrite rules
into .htaccess via FTP, shell or online file manager - whichever they
prefer.

In other words, it is a point of convenience to have WP write those rules
automatically, but it leaves the door wide open for a rogue process to
corrupt the file, in the most innocent form, or completely rewrite the file
in a purely malicious way.

Aaron Brazell____________
Editor, Technosailor.com
http://www.technosailor.com
 

-----Original Message-----
From: wp-testers-bounces at lists.automattic.com
[mailto:wp-testers-bounces at lists.automattic.com] On Behalf Of Kimmo Suominen
Sent: Saturday, April 02, 2005 1:06 PM
To: wp-testers at lists.automattic.com
Subject: Re: [wp-testers] 664 - 404

Without root access on the server, it is often not possible to change
the ownership of the file, and many times not even the group.  (Just
think how convenient it would be to change some large files to another
owner so your used quota goes down.)  This leaves mode 666 as the only
option on systems using mod_php (or other methods where PHP code runs
with the UID of the web server).

Using su-exec and fast-cgi to run PHP code as the owner of the website
is a great approach.  Files can be mode 600 and the apps can write them,
leaving them protected from everyone else.  The downside to that is that
the PHP code could also write other files owned by the user, such as
$HOME/.ssh/authorized_keys and compromise the account.  (With mod_php
the webserver UID usually has other restrictions that would protect it
against such compromise, e.g. an invalid shell.)

Regards,
+ Kim
-- 
<A HREF="http://kimmo.suominen.com/">Kimmo Suominen</A>


On Sat, Apr 02, 2005 at 12:38:21PM -0500, Aaron Brazell wrote:
> I would agree with this adding a mionor bit that yes, WP cannot write to
it
> if it is any less than 666, but WP not writing to it means no one else
> outside the group or the owner can write to it either. I'm actually a
little
> alarmed, and have been, that WP encourages .htaccess to be 666 so it can
> write to it. It's handy for WP but a major security issue as well.
> 
>  
> 
> Aaron Brazell____________
> 
> Editor, Technosailor.com
> 
>  <http://www.technosailor.com> http://www.technosailor.com
> 
>  
> 
>   _____  
> 
> From: wp-testers-bounces at lists.automattic.com
> [mailto:wp-testers-bounces at lists.automattic.com] On Behalf Of Robert
Deaton
> Sent: Saturday, April 02, 2005 11:22 AM
> To: wp-testers at lists.automattic.com
> Subject: Re: [wp-testers] 664 - 404
> 
>  
> 
> Server config wouldn't have much to do with it, but chowning the file
would.
> If your .htaccess isn't chowned to the same user or group as the
webserver,
> then 664 isn't enough, because only the user and group that own the file
> would be able to write to it. Its always safer to give only the minimum
> permissions necessary, so a lot of people note that its best to put it as
> 664.
> 
> On Apr 2, 2005 9:58 AM, Gregory Wild-Smith <greg at twilightuniverse.com>
> wrote:
> 
> Mine is 644, and wp handles that fine.
> 
> Some servers handle permissions differently though, so my guess is for
> your server you need 666 *shrugs* one of those wierd server config
> issues I would guess.
> 
> Podz wrote:
> 
> > If my .htaccess is 664, wp will not (cannot ?) write to it, so pages
404.
> > If I change it to 666, all is good.
> >
> > Noting it because I have seen in a couple of places that 664 or less
> > is better for .htaccess ?
> >
> >------------------------------------------------------------------------
> >
> >_______________________________________________
> >wp-testers mailing list
> >wp-testers at lists.automattic.com
> >http://lists.automattic.com/mailman/listinfo/wp-testers
> >
> >
> 
> _______________________________________________
> wp-testers mailing list
> wp-testers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-testers
> 
> 
> 
> 
> -- 
> --Robert Deaton
> http://anothersadsong.com
> 

> _______________________________________________
> wp-testers mailing list
> wp-testers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-testers

_______________________________________________
wp-testers mailing list
wp-testers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-testers




More information about the wp-testers mailing list