Last modified: 2014-02-12 23:32:50 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T45252, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 43252 - Image folder doesn't work unless chmod 777
Image folder doesn't work unless chmod 777
Status: RESOLVED INVALID
Product: MediaWiki
Classification: Unclassified
File management (Other open bugs)
1.20.x
Other Linux
: Unprioritized normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-19 00:19 UTC by Rob Kam
Modified: 2014-02-12 23:32 UTC (History)
2 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Rob Kam 2012-12-19 00:19:54 UTC 
A fresh install of 1.20.2 on Ubuntu with ImageMagick. It's a shared host, and I don't have root access. I've got images hotlinked from Wikimedia Commons showing fine as thumbnails. However when I tried to upload images from the local PC I was getting "Unable to create the folder "mwstore://local-backend/local-public/ ...". Until I did chmod 777 to the images folder. Now I have all images and thumbnails working fine but also have a hole in the sites security. 

Is there a better way to fix this, without root permissions, than chmod 777 images/? Is this a bug?
Comment 1 Brion Vibber 2012-12-19 00:22:04 UTC 
Well...

You don't need 777 if it's actually owned by the web server user, then you can use 755 or such.

But on typical shared hosting that may still leave you open to other users.

Frankly this is a security problem with many shared hosting environments that's just something you have to live with; unless you can reconfigure to running your web scripts under your own user account.

A more 'secure' method might be to store files in database but this isn't done yet (and of course, any other web user on the machine can probably get your database usernamd and password out of your config files so... that might not be any more secure.)
Comment 2 Rob Kam 2012-12-19 00:46:41 UTC 
The folders created under images belong to user www-data, (I can view and move these but not delete the files).
Comment 3 Bawolff (Brian Wolff) 2012-12-19 01:14:16 UTC 
(In reply to comment #2)
> The folders created under images belong to user www-data, (I can view and
> move
> these but not delete the files).

Yes, that's the default user that apache runs as in many linux distributions.
Comment 4 Andre Klapper 2012-12-19 10:35:15 UTC 
I don't see a bug here in the MediaWiki software, hence closing as INVALID. I recommend https://www.mediawiki.org/wiki/Project:Support_desk  :)
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links