[wp-hackers] Checking getmyuid results in problems?
Berry Langerak
berry at ayavo.nl
Mon Nov 15 12:39:38 UTC 2010
Hi.
Here's my first post to the hacker mailing list. I've spent half my day
helping out a co-worker who has been experiencing problems with WPAU, as
a click on "upgrade automatically" on the Plug-ins page would result in
a form asking for FTP credentials and servername, and there's no FTP
server running on his localhost. I've been in the business for quite a
while, contributing to other projects, and earning my paycheck by
writing applications for customers, so I'm rather well-known with
permissions on Unix. Obviously, my first remark was: make sure that the
Apache user can write to the directories and files that wordpress has
installed.
So he did: his username was his local username (e.g. 'berry'), the group
was 'www-data', and the filepermissions were 0775, meaning the group
'www-data' was able to write to the files. Please do note that there was
at that time no problem to write wp-config.php from the installation
wizard, and it was also possible to edit plugins with the embedded
plugins editor. However, there was still no possibility to update the
plugins.
Now, having a <user>:www-data owner on files isn't that unusual: it's a
rather common way of making sure that your own user as well as the
apache user can write to the files. It's important to stress that
development doesn't happen on a remote FTP server, as we're a software
company, we develop on development machines and we *never* develop on
production servers. A call to is_writable( ) would result in true, so I
figured it ought to work. It didn't. After debugging for quite some
time, I found a line in the wordpress core which contained the following
code:
if ( getmyuid() == @fileowner($temp_file_name) ).
It seems the Apache user *must* be the owner of the files, before
Wordpress WPAU will even try to update the plugins, which is unexpected
behaviour, from my point of view. My logic is that if the user is able
to write to files, that would be enough to write to files. In the case
of WPAU, this isn't true. While searching though the bug tracker, I've
found several previous tickets about this exact problem, such as #8400
and #10424.
In #8400, DD32 responds with 'wontfix'. In #10424, DD32 responds to the
ticket with an explanation which makes sense, but mostly for shared
webhosting. Now, I'm sure that most users of Wordpress have the
application hosted on shared webhosting, and they never have a local
copy to develop in. However, the people that write code for a living
usually have multiple environments to write, test and run their code on.
In our case, developing and the first testing happens on a local
machine. We write, debug and test our code using an IDE. That makes it
very awkward for www-data to be the owner of the files that wordpress
should edit, because you have to either change the owner to
www-data:<user> and chmod to 077x, or run your IDE by using su -
www-data, which is obviously a workaround I dislike.
Now, I wouldn't mind the getmyuid to fileowner check much if that was
well-documented and consistent, but it seems that it's not. You see,
wp-config.php was written after the installation-wizard without
performing the check, and I can edit the plugins using the embedded
editor, without the check being performed. It's just the updating of
plugins that doesn't seem to work. That's the reason I assumed I had an
issue with the plugin files not being writable, while they actually were
writable.
I've written a patch (attached) to use is_writable instead of getmyuid
and fileowner, which makes the whole installation work like a charm. Am
I wrong in assuming that the files being writable should be the only
check necessary, or is there some logic that I am still overlooking,
which makes the check make sense? Yes, a lot of (shared) hosting servers
are not that well configured. Yes, once you run Apache as another user
than the owner, this will result in a different owner upon writing new
files. But isn't this only relevant in production and shouldn't that be
fixed by the webhoster, and not by the software?
Cheers,
Berry.
Met vriendelijke groet,
Berry Langerak.
--
Ayavo BV
Tel. 013-5810450
Fax. 013-5810454
Mob. 06-10110635
More information about the wp-hackers
mailing list