[wp-trac] [WordPress Trac] #28034: Appropriate group permissions aren't acknowledged in get_filesystem_method

WordPress Trac noreply at wordpress.org
Fri Apr 25 21:30:09 UTC 2014

#28034: Appropriate group permissions aren't acknowledged in get_filesystem_method
 Reporter:  jason_the_adams  |      Owner:
     Type:  defect (bug)     |     Status:  new
 Priority:  normal           |  Milestone:  Awaiting Review
Component:  Filesystem API   |    Version:  3.9
 Severity:  normal           |   Keywords:
  Focuses:                   |
 Wordpress currently checks whether a file can be written and then compares
 the uid of that file to the current user id. The problem is, this fails in
 the case  wherein wordpress has proper group permissions. I've noticed
 around that the solution people are told to follow is "sudo chown www-data
 wordpress/ -R".

 But there's merit to having a different user/group permissions, and giving
 apache/nginx limited permissions to the user. Whether or not this is
 agreed with, though, should Wordpress force the person to work this way?
 Shouldn't WP's real concern just be that it can write?

 I suggest changing line 948 in /include/admin/file.php to:

 if ( (getmyuid() == @fileowner($temp_file_name)) || (getmygid() ==
 @filegroup($temp_file_name) )

 Since we've already written to a new file, we can assume that write
 permissions are acceptable for either the user or group.

Ticket URL: <https://core.trac.wordpress.org/ticket/28034>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list