[wp-hackers] Does WordPress do automatic updates as the user that owns the files?

Otto otto at ottodestruct.com
Mon Aug 20 20:10:47 UTC 2012

On Mon, Aug 20, 2012 at 12:30 PM, Harry Metcalfe <harry at dxw.com> wrote:
> I'm confused. The codex says:
>> When you tell WordPress to perform an automatic update, all file
>> operations are performed as the user that owns the files, not as the web
>> server's user
> http://codex.wordpress.org/Hardening_WordPress#Regarding_Automatic_Updates
> I'm pretty confident that this is not the case for us, and I don't see how
> it can be the case for anyone without somehow allowing the web user to
> impersonate a shell user, which would surely not be sensible at all.
> Is this just wrong? Or have I misread it? Or is something clever going on
> that I've failed to notice?

It's something clever, called the WP_Filesystem. :)

Basically, the WP_Filesystem supports a few different methods of
writing files, depending on what sort of functionality you have
available and what sort of method by which your system is running.

If the PHP code is running in what's known as "setuid" mode, where the
PHP process is running as the same user who owns the PHP files
themselves, then the WP_Filesystem will use the "direct" mode for
writing files, and it will simply write them out directly. Because the
owner of the file matches the PHP process owner, then the files are
written with the correct user.

For any other case, it either asks for FTP credentials, or can use
secure-ftp or ssh2 credentials (depending on the setup), to
essentially perform a loopback connection to the server. Thus, while
the PHP process may be running as "apache" or "nobody" or something,
it will connect back to the server using, say, FTP, and give the
proper login, then write the files via that connection. Each of the
supported WP_Filesystem methods is in its own
class-wp-filesystem-*.php file in the wp-includes directory, if you
want to examine them.

If you're not using the WP_Filesystem, then you're correct in that
files can be written with incorrect ownership. In the case of the
image uploader, this is the case. But for doing plugin/theme/core
upgrades, WordPress uses the WP_Filesystem to get the ownership

More info: http://ottopress.com/2011/tutorial-using-the-wp_filesystem/


More information about the wp-hackers mailing list