[wp-testers] 664 - 404

Morgan Doocy morgan at doocy.net
Sat Apr 2 20:57:24 GMT 2005 

On Apr 2, 2005, at 10:23 AM, Aaron Brazell wrote:
> You are right, of course, but I think possibly overcomplicating this.

No, she's not overcomplicating it -- you're oversimplifying it. :-)

> WordPress does not need .htaccess to be 666 to run.

More precisely: if permalinks are enabled and the server has read-only 
access to the file, existing permalink settings will work, but new 
Pages created will not, nor will changes be able to be made to the 
permalink structure from within WordPress.

> It needs it to be 666 so the WP software can write rewrite rules.

Not necessarily. 666 will always work, but it's not the only option, 
and other options are more secure. It all depends on the file's owners 
and how that compares to the user the web server process is run as. If 
the server is run as you, the minimal permissions you need are 
you:you at 644 (or 600 if you're really paranoid). If it's run as someone 
else (usually www or something similar), then file ownership and group 
membership come into play. A few examples:

- www:www at 644 -- the server can read/write just fine (and therefore 
WordPress will be fully functional), but you can't hand edit the file 
from the shell.
- www:www at 664 -- same as above, UNLESS you is a member of group www, in 
which case you WILL have write access.
- you:you at 644 -- the server can read, but not write. Portions of 
WordPress functionality won't work.
- you:you at 664 -- same as above, UNLESS www is a member of group you, in 
which case www WILL have write access.
- www:you at 664 or you:www at 664 -- the server and you can both read/write, 
but no one else can write. This is ideal.
- www:www at 666 or you:you at 666 -- everyone can read/write, meaning 
WordPress will work and you can hand-edit the file -- but so can 
everyone else on the server. Insecure, but works.

> However, if the .htaccess was 664 or 644, WP will tell you, "I could 
> write to this if you allowed me to but since you don't then put all 
> this crap in your .htaccess file".

More acccurately: WordPress displays this message if it cannot write to 
the file. The exact permissions will vary; WP simply asks the system if 
it has has write access. If not, it displays the message. As you can 
see above, there are plenty of situations where WP would have write 
access with 644 or 664 permissions.

> In other words, it is a point of convenience to have WP write those 
> rules
> automatically, but it leaves the door wide open for a rogue process to
> corrupt the file, in the most innocent form, or completely rewrite the 
> file
> in a purely malicious way.

Yes, 666 is insecure. See the ideal situation above.

Morgan

More information about the wp-testers mailing list