[theme-reviewers] Theme submission fails on WARNING

Otto otto at ottodestruct.com
Sat Jun 25 13:20:58 UTC 2011


On Fri, Jun 24, 2011 at 6:02 PM, Darren Slatten <darrenslatten at gmail.com> wrote:
> WordPress writes data to theme files via the Appearance => Editor admin
> panel, without requiring FTP credentials. It only requires that the file
> being edited has '666' permissions, which I assume the user has to configure
> manually.

Few things about that.

1. They keep trying to remove that functionality from WordPress. I
keep arguing for it to be left in there.

2. Writing to existing files doesn't change ownership of them.
Creating new files as a different user leaves them with the ownership
of the creating process, which is the main problem with creating files
on (non-setuid) shared hosting.

3. Files having 666 permissions is dangerous as hell too. It is not
recommended. Standard permissions in WP are 644 for files and 755 for
directories, as we state on the codex.

4. If a site is using setuid methods (like I described in the previous
email), then that editor doesn't require 666 permissions. It works
perfectly happily with 644 perms.

-Otto


More information about the theme-reviewers mailing list