[wp-trac] [WordPress Trac] #8400: Plugin upgrade not possible without being script owner

[WordPress Trac]

#8400: Plugin upgrade not possible without being script owner
---------------------+------------------------------------------------------
 Reporter:  sigvei   |       Owner:     
     Type:  defect   |      Status:  new
 Priority:  normal   |   Milestone:  2.8
Component:  Plugins  |     Version:  2.6
 Severity:  normal   |    Keywords:     
---------------------+------------------------------------------------------
 In my server setup, I have wordpress located in $HOME/wordpress, and that
 is symlinked to a public www directory. The files in $HOME/wordpress are
 owned by me, with www-data (webserver's group) as group owner. Files and
 directories are readable and writable by both owner and group. This means
 I won't have to have root access to upgrade wordpress, and yet I am still
 able to edit plugin and theme files.

 This means plugin upgrades should be possible. However,
 get_filesystem_method in wp-admin/includes/file.php checks whether direct
 access is possible by doing this:


 {{{
 $temp_file = wp_tempnam();
 if ( getmyuid() == fileowner($temp_file) )
         $method = 'direct';
 unlink($temp_file);
 }}}

 With a standard server setup, $temp_file will be owned by the user owning
 wp-admin/update.php. In my setup, that means this check fails.

 I am not quite at the patch stage here, as I am not quite sure of the
 permission needs of plugin update files. But testing whether the owner of
 update.php is the same as the owner of the apache process seems like a
 clear bug to me. It isn't relevant to the task.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/8400>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software