WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#28034 closed defect (bug) (duplicate)

Appropriate group permissions aren't acknowledged in get_filesystem_method

Reported by: jason_the_adams Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.9
Component: Filesystem API Keywords:
Focuses: Cc:

Description

Wordpress currently checks whether a file can be written and then compares the uid of that file to the current user id. The problem is, this fails in the case wherein wordpress has proper group permissions. I've noticed around that the solution people are told to follow is "sudo chown www-data wordpress/ -R".

But there's merit to having a different user/group permissions, and giving apache/nginx limited permissions to the user. Whether or not this is agreed with, though, should Wordpress force the person to work this way? Shouldn't WP's real concern just be that it can write?

I suggest changing line 948 in /include/admin/file.php to:

if ( (getmyuid() == @fileowner($temp_file_name)) || (getmygid() == @filegroup($temp_file_name) )

Since we've already written to a new file, we can assume that write permissions are acceptable for either the user or group.

Change History (2)

#1 @nacin
5 years ago

Hi jason_the_adams, this sounds like a duplicate of #10205. There is, unfortunately, a storied history here. We're worried about writing a file that cannot be edited by an FTP user. It's complicated, annoying, and catering to the lowest common denominator.

#2 @SergeyBiryukov
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #10205.

See also #7779, #8400, #10423, #10424, #12499, #14753, #17373, #19313 (exact duplicate), #24007, #24700.

Note: See TracTickets for help on using tickets.