Plugin upgrade not possible without being script owner
|Reported by:||sigvei||Owned by:|
In my server setup, I have wordpress located in $HOME/wordpress, and that is symlinked to a public www directory. The files in $HOME/wordpress are owned by me, with www-data (webserver's group) as group owner. Files and directories are readable and writable by both owner and group. This means I won't have to have root access to upgrade wordpress, and yet I am still able to edit plugin and theme files.
This means plugin upgrades should be possible. However, get_filesystem_method in wp-admin/includes/file.php checks whether direct access is possible by doing this:
$temp_file = wp_tempnam(); if ( getmyuid() == fileowner($temp_file) ) $method = 'direct'; unlink($temp_file);
With a standard server setup, $temp_file will be owned by the user owning wp-admin/update.php. In my setup, that means this check fails.
I am not quite at the patch stage here, as I am not quite sure of the permission needs of plugin update files. But testing whether the owner of update.php is the same as the owner of the apache process seems like a clear bug to me. It isn't relevant to the task.