[wp-trac] [WordPress Trac] #37264: Please do not chmod 666 the wp-config.php file on installation.
WordPress Trac
noreply at wordpress.org
Sun Jul 3 22:27:48 UTC 2016
#37264: Please do not chmod 666 the wp-config.php file on installation.
-----------------------------+-----------------------------
Reporter: chriskuehl | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Upgrade/Install | Version: trunk
Severity: normal | Keywords:
Focuses: |
-----------------------------+-----------------------------
On installation, WordPress invariantly does a {{{chmod 666}}} of the
{{{wp-config.php}}} file:
https://github.com/WordPress/WordPress/blob/4.5.3/wp-admin/setup-
config.php#L393
This file is very sensitive; it contains the database password and
authentication keys, among other things.
666 grants read, write, and execute permissions to every single user on
the system. Even read permissions are too much; not only can you dump the
database, but you can easily escalate to code execution via template
changes (which are stored in the database and {{{eval}}}'d).
There are virtually no situations where 666 is the appropriate level of
permission for this file. It should be something like 600 instead.
* On shared web hosts, other users may be able to read (or even edit!) the
file, depending on what isolation the host provides. Most large shared
hosting providers do it by making the home directory ~600 so that only the
user can traverse it, then run the webserver as that user (and so there's
no point making it 666 anyway, it might as well be 600). Other shared web
hosts use suexec or suphp to achieve the same, but in these setups, 666 is
incredibly dangerous and allows others to modify it (and it should be
600).
* Even on dedicated hosts with no other users or websites, these
permissions mean that pretty much any compromise on the system can be
elevated to full control of your site. And 600 will still work here.
If there is too much concern about this not working across diverse hosting
environments, then the installer could incrementally try wider permissions
until the file can be read by the PHP code (I would still argue it should
never silently make files world-writable, or even world-readable, though).
Please consider changing the default to 600.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/37264>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list