01346: fixperms() makes files world readable/writable even if account owner is root

Summary: fixperms() makes files world readable/writable even if account owner is root
Created: 2014-06-06 04:11
Status: Closed, fixed for 2.2.65
Category: Bug
Assigned:
Priority: 3
Version: 2.2.64
OS: CentOS 5/Apache 2.2/PHP 5.1

Description: I have a couple of intranet wikis where the document root and all subdirectories are owned by the root user, while the wiki page and upload directories are owned by the HTTP server account, apache, like so:

 # ls -ld .
 drwxr-xr-x 9 root root 4096 јун  6 10:38 .
 # ls -ld wiki.d
 drwxr-xr-x 2 apache apache 4096 Jun  6 10:56 wiki.d

For any page created in wiki.d, fixperms() (in pmwiki.php) sees that the directory owner (apache) is not the same as "account owner" (root) and adds o+rw permissions to the file, which are unnecessary since root can read it anyway.

A fix which shouldn't impact other use cases is as follows:

--- pmwiki-2.2.64.orig/pmwiki.php       2014-05-08 20:39:51.000000000 +0200
+++ pmwiki-2.2.64/pmwiki.php    2014-06-06 10:40:45.000000000 +0200
@@ -615,7 +615,7 @@
   }
   else {
     $bp = 0;
-    if (fileowner($fname)!=@fileowner('.')) $bp = (is_dir($fname)) ? 007 : 006;
+    if (fileowner($fname)!=@fileowner('.') && @fileowner('.')!=0) $bp = (is_dir($fname)) ? 007 : 006;
     if (filegroup($fname)==@filegroup('.')) $bp <<= 3;
     $bp |= $add;
     if ($bp && (fileperms($fname) & $bp) != $bp)

IvanNejgebauer? June 06, 2014, at 04:13 AM

Thanks, this will probably be added in the next release in a few days (with && @fileowner('.')!==0 as on failure this function returns false which is evaluated to 0). --Petko June 06, 2014, at 11:52 AM