All the files in the pub directory appear to have permissions set to 660. This results in such things as PatternSkin css files not loading.
I though at first it might just be the zip version of the beta5 archive, but I checked the tgz version and the same problem is there.
Actually, I realise now this problem extends past the pub directory. The
file in root is not readable by public.
660 for files is correct.
The permissions are set anticipating that the install will be done as the apache user.
Opening back up. For installation on a hosted domain (all I know), the pub files and root html files need to have permissions set to 664. This is way all previous twiki distributions (and every other software package I've used) were set up.
This applies to installs from TGZ only, obviously enough.
As I explained on IRC last night, the permissions in the tgz are correct. Pub files should not
be world readable by another user on the same machine after an install (this is a security hole in other packages). The default permissions are set to assume the installer is either (1) the apache user or (2) in the same group as the apache user or (3) able to use chmod and chown to reset permissions. The issue in a hosted install is that
is required to run perl scripts, which gets the right permissions, but isn't run when accessing
files. This is a known security hole in old TWiki, because files in
are forced to be world readable for apache to access them. Really all accesses to
should go through
, which checks TWiki permissions.
It is simple enough to reset permissions on the directory trees as you require. But I think the default should remain paranoid-secure.