|
Cookbook /
DirectoryAndFilePermissionsSummary: Explains which directories and files need to be readable, writable, and servable by the webserver.
Version: 2006-12-05
Prerequisites:
Status: Initial version
Maintainer:
Categories: Security Administration
Discussion: DirectoryAndFilePermissions-Talk
DescriptionExplains which directories and files need to be readable, writable, and servable by the webserver. Questions answered by this recipe
AnswersYes, see File permissions - PmWiki's settings for file and directory permissions in a typical Unix environment . Also, see the following
First, some terms. For the purpose of this document,
Readable directoriesAll PmWiki directories should be readable, although the docs/ directory doesn't need to be readable by the webserver. Writable directoriesThe wiki.d/ always needs to be writable because that's where wiki pages are stored. If uploads are enabled, the uploads/ directory needs to be writable so uploaded files can be stored. Note that it only needs to be writable when files will uploaded with ?action=upload. Conceivably an administrator could enable uploads and have the directory non-writable so Attach: syntax would work for existing "attached" files. PmWiki also needs a writable directory for session data. Ideally this directory will be somewhere that's outside of the web hierarchy. The default directory for sessions (usually /tmp/) is typically set globally in PHP's global configuration file (php.ini). You can also use session_save_path() to identify the directory to be used. Make sure the directory is writable by the webserver. Servable directoriesAt minimum, one file and one "directory tree" (a directory and all of its subdirectories) will be servable. The one file (pmwiki.php or a wrapper script) needs to be servable from the main directory. The one directory tree is the pub/ directory and all directories below it. The pub/ directory exists specifically for publicly-accessible files, so obviously it's always servable. The uploads/ directory tree is typically servable, but it doesn't need to be. You can configure your wiki with $EnableDirectDownload = 0;
to cause files in the uploads/ tree to be delivered "through" PmWiki and then the files themselves don't need to be servable. Setting permissionsThis isn't an easy subject to explain because, for example, knowing that a directory of file has "755" or "644" permissions is not enough information to tell if permissions are correct. Determining correct permissions will depend on other attributes. (Is this a regular file or directory? Is it owned by the webserver's UID or GID or your UID/GID or some other UID/GID?) Permissions will be different if you used the method "for a slightly more secure installation", for example. Put another way, how you set permissions is highly dependent upon how your server is configured. Here are sample directory and file permissions from a freshly-installed copy of PmWiki that was installed using the "slightly more secure" (2777) method:
[drwxr-xr-x] pmwiki
|-- [-rw-r--r--] README.txt
|-- [drwxr-xr-x] cookbook
| |-- [-rw-r--r--] .htaccess
| `-- [-rw-r--r--] (all files)
|-- [drwxr-xr-x] docs
| `-- [-rw-r--r--] .htaccess
|-- [-rw-r--r--] index.php
|-- [drwxr-xr-x] local
| |-- [-rw-r--r--] .htaccess
| `-- [-rw-r--r--] config.php
|-- [-rw-r--r--] pmwiki.php
|-- [drwxr-xr-x] pub
| |-- [drwxr-xr-x] css
| |-- [drwxr-xr-x] guiedit
| | `-- [-rw-r--r--] (all files)
| `-- [drwxr-xr-x] skins
| |-- [drwxr-xr-x] pmwiki
| | `-- [-rw-r--r--] (all files)
| `-- [drwxr-xr-x] print
| `-- [-rw-r--r--] (all files)
|-- [drwxr-xr-x] scripts
| |-- [-rw-r--r--] .htaccess
| `-- [-rw-r--r--] (all other files)
|-- [drwxrwsr-x] uploads
| `-- [drwxrwxr-x] Main
| `-- [-rw-rw-r--] (all written files)
|-- [drwxrwxr-x] wiki.d
| `-- [-rw-rw-r--] (all written files)
`-- [drwxr-xr-x] wikilib.d
`-- [-rw-r--r--] (all files)
CommentsSee Discussion at DirectoryAndFilePermissions-Talk See Also
Contributors |