Opened 11 years ago
Closed 11 years ago
#28034 closed defect (bug) (duplicate)
Appropriate group permissions aren't acknowledged in get_filesystem_method
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 3.9 |
| Component: | Filesystem API | Keywords: | |
| Focuses: | Cc: |
Description
Wordpress currently checks whether a file can be written and then compares the uid of that file to the current user id. The problem is, this fails in the case wherein wordpress has proper group permissions. I've noticed around that the solution people are told to follow is "sudo chown www-data wordpress/ -R".
But there's merit to having a different user/group permissions, and giving apache/nginx limited permissions to the user. Whether or not this is agreed with, though, should Wordpress force the person to work this way? Shouldn't WP's real concern just be that it can write?
I suggest changing line 948 in /include/admin/file.php to:
if ( (getmyuid() == @fileowner($temp_file_name)) || (getmygid() == @filegroup($temp_file_name) )
Since we've already written to a new file, we can assume that write permissions are acceptable for either the user or group.
Hi jason_the_adams, this sounds like a duplicate of #10205. There is, unfortunately, a storied history here. We're worried about writing a file that cannot be edited by an FTP user. It's complicated, annoying, and catering to the lowest common denominator.