WordPress.org

Make WordPress Core

Opened 5 weeks ago

Last modified 5 weeks ago

#53193 new defect (bug)

chmod(): Operation not permitted in class-wp-image-editor-imagick.php

Reported by: jobst Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.7.1
Component: Media Keywords:
Focuses: administration Cc:

Description

Hi

Current install:
Using the LATEST version of WordPress, the line numbers in this bug report relate to that version number.
The system is running on CENTOS with APACHE as the server.

Problem Discription:
PHP Warning: chmod(): Operation not permitted in "wp-includes/class-wp-image-editor-imagick.php" on line 710

Explanation why this is a problem
Every security conscious system administrator will have the following settings:

On directories e.g.
drwxr-x---. 10 editor apache 4096 Feb 19 2019 wp-content
drwxr-x---. 25 editor apache 12288 Mar 29 13:26 wp-includes
drwxr-x---. 4 editor apache 4096 Dec 11 17:10 themes
drwsrws---. 2 editor apache 4096 May 12 15:09 upgrade
drwsrws---. 20 editor apache 4096 Jan 1 00:00 uploads

On files e.g.
-rw-r-----. 1 editor apache 31328 Mar 29 13:25 wp-signup.php
-rw-r-----. 1 editor apache 4747 Dec 11 15:27 wp-trackback.php

While the apache server can READ every file, it cannot WRITE every file abd that is good! I have NEVER had a problem with these settings, ever.
Where the apache server NEEDS to write, it can (e.g. uploads/upgrade/cache)
I can happily update core/plugins/themes using FS_METHOD ssh2 with ssh keys set for the editor.

Also it is nearly IMPOSSIBLE to have the system being taken over as the apache server cannot write core files.

Does the problem occur even when you deactivate plugins, use default theme?
N/A
File system permission issue

In case it's relevant to the ticket, what is the expected output or result?
There needs to be an additional check whether the line SHOULD/CAN be executed.

On my system the editor is NOT the same as the user running the http server. The server user is MOSTLY (and should) restricted to reading (other that the upload/upgrade/cache/etc directories).

This will lead to errors on Linux based systems.

Change History (1)

#1 @SergeyBiryukov
5 weeks ago

  • Component changed from General to Media
Note: See TracTickets for help on using tickets.