[wp-trac] [WordPress Trac] #37264: Please do not chmod 666 the wp-config.php file on installation.

WordPress Trac noreply at wordpress.org
Tue Jul 19 00:38:06 UTC 2016 

#37264: Please do not chmod 666 the wp-config.php file on installation.
--------------------------+------------------------------
 Reporter:  chriskuehl    |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Security      |     Version:  1.0
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
--------------------------+------------------------------

Comment (by dd32):

 There's several arguments for why it's as it is today, although I'm not
 sure which ones are still valid. I wouldn't want to lower owner below
 `600`though, as if you can write to the directory you can change the
 permissions anyway.

 (Note: I'm specifically excluding ACLs here, they change ALL of this, and
 a `777` file could be a `000` file according to them)
 Take the scenario where PHP is running as `www-data` and your FTP user is
 running as `dd32` a `400` or `600` file would not be modifiable. If you
 shared the group, then `440` or `660` would allow you to (if needed) relax
 the permissions and modify it.
 If you take the scenario where the file was created as `www-data` and your
 FTP user is running as `dd32` and does NOT share a common group (not as
 insane as you may think it is) then `444` / `666` is suddenly the most
 relaxed permissions you can choose for the file.

 We attempted to lower the permissions set to `640` in #20069 which failed
 miserably, which is why they're back at `644` for upgrades.

 I don't think there's any changes that can be made here which won't result
 in broken cases for a subset of users, where they won't be able to modify
 their `wp-config.php` file via FTP or control panels. These sort of issues
 will NEVER be seen on a *decent* host, or any test environment that we set
 up, it'll always be those hosts that you don't want to touch, or have
 never heard of that will cause pain.

 One option that could work would be to utilise `WP_Filesystem` at this
 step too, which would switch to FTP in the event that the file created
 wouldn't be owned by the same user as WordPress. That would potentially
 maybe allow us to drop back to `660` or `600`, as long as we included a
 few steps to verify that the file was still readable by the web user.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/37264#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list