WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#8400 closed defect (bug) (wontfix)

Plugin upgrade not possible without being script owner

Reported by: sigvei Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.6
Component: Plugins Keywords:
Focuses: Cc:

Description

In my server setup, I have wordpress located in $HOME/wordpress, and that is symlinked to a public www directory. The files in $HOME/wordpress are owned by me, with www-data (webserver's group) as group owner. Files and directories are readable and writable by both owner and group. This means I won't have to have root access to upgrade wordpress, and yet I am still able to edit plugin and theme files.

This means plugin upgrades should be possible. However, get_filesystem_method in wp-admin/includes/file.php checks whether direct access is possible by doing this:

$temp_file = wp_tempnam();
if ( getmyuid() == fileowner($temp_file) )
	$method = 'direct';
unlink($temp_file);

With a standard server setup, $temp_file will be owned by the user owning wp-admin/update.php. In my setup, that means this check fails.

I am not quite at the patch stage here, as I am not quite sure of the permission needs of plugin update files. But testing whether the owner of update.php is the same as the owner of the apache process seems like a clear bug to me. It isn't relevant to the task.

Change History (3)

comment:1 DD325 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

Indeed the current setup does not check Group ownerships, The main problem with supporting that method is that new files will be created as owned by www-data, and not as by your username, which will then cause problems, specifically which were to be worked around by the FTP methods.

You can use a plugin such as the one below to force it to use the Direct Method regardless (And take the onus of any problems on yourself):

<?php
/*
Plugin Name: Force WP Filesystem to use the 'direct' class
Version: 1.0
Plugin URI: http://dd32.id.au/wordpress-plugins/?force-direct
Description: Forces the WP_Filesystem to utilise the Direct Filesystem abstraction library. <strong>Testing purposes only, Do not rely upon this for constant use</strong>
Author: Dion Hulse
Author URI: http://dd32.id.au/
*/

add_filter('filesystem_method', 'force_direct');
function force_direct($method) {
	return 'direct';
}
?>

comment:2 DD325 years ago

  • Milestone 2.8 deleted

comment:3 foresto5 years ago

  • Cc foresto added
Note: See TracTickets for help on using tickets.