[wp-testers] Automatic upgrade still failing
Ryan Boren
ryan at boren.nu
Mon Nov 3 17:35:29 GMT 2008
On Mon, Nov 3, 2008 at 9:27 AM, Otto <otto at ottodestruct.com> wrote:
> On Mon, Nov 3, 2008 at 11:00 AM, Ryan Boren <ryan at boren.nu> wrote:
>> We go through pains to make sure we're compatible with a secure site.
>> Unlike other upgraders, it does not require that files be writable by
>> the webserver. Nor does it change permissions via FTP so that files
>> can be written by the webserver.
>
> These two statements are fundamentally at odds here. If the files are
> not writable by the webserver, then they cannot be overwritten by a
> copy operation.
That's why we use FTP for those cases.
> In other words, if owner does not have +w, then it fails.
Yes, if someone has inconsistent file permissions when using direct.
>> We try to make sure direct is used only when files created by the webserver
>> have the same owner as the WP files.
>
> In other words, upgrade core only uses direct in cases where you're
> running suPHP (or similar method)? While this is many hosts, it's
> certainly not *all* hosts.
Indeed, that's why we use ftpext, ftpsockets, or ssh2 when the host
doesn't provide suPHP.
> And even then, it's generally not a good
> idea to leave your files writable. True, the webserver is running as
> the owner, so it can change permissions too, but many scripts don't do
> that. And some popular plugins (notably WP-Super-Cache) actively warns
> against it in those cases, as it complains that the files are writable
> by the webserver.
So we need to make sure we fallback to FTP when the server is suPHP
but the user has removed owner write access for all files.
More information about the wp-testers
mailing list