[wp-trac] [WordPress Trac] #53193: chmod(): Operation not permitted in class-wp-image-editor-imagick.php

WordPress Trac noreply at wordpress.org
Wed May 12 05:49:17 UTC 2021 

#53193: chmod(): Operation not permitted in class-wp-image-editor-imagick.php
----------------------------+-----------------------------
 Reporter:  jobst           |      Owner:  (none)
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  General         |    Version:  5.7.1
 Severity:  normal          |   Keywords:
  Focuses:  administration  |
----------------------------+-----------------------------
 Hi

 **Current install:**
 Using the LATEST version of WordPress, the line numbers in this bug report
 relate to that version number.
 The system is running on CENTOS with APACHE as the server.


 **Problem Discription:**
 PHP Warning:  chmod(): Operation not permitted in "wp-includes/class-wp-
 image-editor-imagick.php" on line 710


 **Explanation why this is a problem**
 Every security conscious system administrator will have the following
 settings:

 On directories e.g.
 drwxr-x---. 10 editor apache  4096 Feb 19  2019 wp-content
 drwxr-x---. 25 editor apache 12288 Mar 29 13:26 wp-includes
 drwxr-x---.  4 editor apache  4096 Dec 11 17:10 themes
 drwsrws---.  2 editor apache  4096 May 12 15:09 upgrade
 drwsrws---. 20 editor apache  4096 Jan  1 00:00 uploads

 On files e.g.
 -rw-r-----.  1 editor apache 31328 Mar 29 13:25 wp-signup.php
 -rw-r-----.  1 editor apache  4747 Dec 11 15:27 wp-trackback.php

 While the apache server can READ every file, it cannot WRITE every file
 abd that is good! I have NEVER had a problem with these settings, ever.
 Where the apache server NEEDS to write, it can (e.g.
 uploads/upgrade/cache)
 I can happily update core/plugins/themes using FS_METHOD ssh2 with ssh
 keys set for the editor.

 Also it is nearly IMPOSSIBLE to have the system being taken over as the
 apache server cannot write core files.


 **Does the problem occur even when you deactivate plugins, use default
 theme?**
 N/A
 File system permission issue


 **In case it's relevant to the ticket, what is the expected output or
 result?**
 There needs to be an additional check whether the line SHOULD/CAN be
 executed.

 On my system the editor is NOT the same as the user running the http
 server. The server user is MOSTLY (and should) restricted to reading
 (other that the upload/upgrade/cache/etc directories).

 This will lead to errors on Linux based systems.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/53193>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list