[wp-trac] Re: [WordPress Trac] #4151: uploaded image thumbnails permissions incorrect

WordPress Trac wp-trac at lists.automattic.com
Mon Apr 16 06:02:59 GMT 2007 

#4151: uploaded image thumbnails permissions incorrect
-----------------------------------+----------------------------------------
 Reporter:  DD32                   |        Owner:  anonymous
     Type:  defect                 |       Status:  new      
 Priority:  normal                 |    Milestone:  2.2      
Component:  Administration         |      Version:  2.1      
 Severity:  normal                 |   Resolution:           
 Keywords:  thumbnails, has-patch  |  
-----------------------------------+----------------------------------------
Comment (by DD32):

 The uploaded files are created by the server too.[[BR]]
 I think there may be something wrong with the servers umask in my case,
 however, its obvious that WP has changed the default permissions on the
 uplaoded file, But not applied the same attention to the thumbnail it then
 creates[[BR]]
 [[BR]]
 The problem is that the file thats created is ONLY readable by the
 username which created it. [[BR]]
 In a ''normal'' world where Apache is running without suPHP, the PHP
 process is often owned by the user 'nobody', The created files will be
 owned by ''nobody'', So the thumbnails are created by the server and
 written to the disk with the username of ''nobody''; When Apache comes to
 serve up the image thumbnail, Since its running under the same username as
 the file was created as, it can read the file, and serve it with no
 problems. [[BR]]
 [[BR]]
 Now, We introduce suPHP into the mix.[[BR]]
 the PHP Process now is running under the username of the user, So its
 running as "theonly", It creates files with the owner/group as "theonly".
 That seems right, Right?[[BR]]
 However, When the files are created, they're set read/write for THAT
 user("theonly")[[BR]]
 Now, Apache comes along under the username "nobody" to serve this image
 up, It tries to access the file, Hang on, permissions are set to
 '''-rw-------''', Only the OWNER of the file has read-access to it!,
 apache is running as ''nobody'', Apache CANT open the file to serve it.
 403 sent out.[[BR]]
 For Apache to serve the file while running under a different username than
 the file, the file needs its permissions set to World Readable:
 ''-rw-r--'''r--''' ''[[BR]]
 Now we might as well make it group-readable while we're at it(thus the
 other group readable mark in there)[[BR]]
 [[BR]]
 Thats why the uploaded file is chmoded in the first place, For the cases
 where PHP is being run under a different username than what the created
 file will be served under..[[BR]]
 [[BR]]
 Hopefully i've managed to get this out right without too much confusion :S

-- 
Ticket URL: <http://trac.wordpress.org/ticket/4151#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list