[wp-trac] [WordPress Trac] #37264: Please do not chmod 666 the wp-config.php file on installation.
WordPress Trac
noreply at wordpress.org
Tue Jul 19 00:38:06 UTC 2016
#37264: Please do not chmod 666 the wp-config.php file on installation.
--------------------------+------------------------------
Reporter: chriskuehl | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 1.0
Severity: normal | Resolution:
Keywords: | Focuses:
--------------------------+------------------------------
Comment (by dd32):
There's several arguments for why it's as it is today, although I'm not
sure which ones are still valid. I wouldn't want to lower owner below
`600`though, as if you can write to the directory you can change the
permissions anyway.
(Note: I'm specifically excluding ACLs here, they change ALL of this, and
a `777` file could be a `000` file according to them)
Take the scenario where PHP is running as `www-data` and your FTP user is
running as `dd32` a `400` or `600` file would not be modifiable. If you
shared the group, then `440` or `660` would allow you to (if needed) relax
the permissions and modify it.
If you take the scenario where the file was created as `www-data` and your
FTP user is running as `dd32` and does NOT share a common group (not as
insane as you may think it is) then `444` / `666` is suddenly the most
relaxed permissions you can choose for the file.
We attempted to lower the permissions set to `640` in #20069 which failed
miserably, which is why they're back at `644` for upgrades.
I don't think there's any changes that can be made here which won't result
in broken cases for a subset of users, where they won't be able to modify
their `wp-config.php` file via FTP or control panels. These sort of issues
will NEVER be seen on a *decent* host, or any test environment that we set
up, it'll always be those hosts that you don't want to touch, or have
never heard of that will cause pain.
One option that could work would be to utilise `WP_Filesystem` at this
step too, which would switch to FTP in the event that the file created
wouldn't be owned by the same user as WordPress. That would potentially
maybe allow us to drop back to `660` or `600`, as long as we included a
few steps to verify that the file was still readable by the web user.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/37264#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list