• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

All the files in the pub directory appear to have permissions set to 660. This results in such things as PatternSkin css files not loading.

I though at first it might just be the zip version of the beta5 archive, but I checked the tgz version and the same problem is there.


Actually, I realise now this problem extends past the pub directory. The index.html file in root is not readable by public.


660 for files is correct.

The permissions are set anticipating that the install will be done as the apache user.



Opening back up. For installation on a hosted domain (all I know), the pub files and root html files need to have permissions set to 664. This is way all previous twiki distributions (and every other software package I've used) were set up.


This applies to installs from TGZ only, obviously enough.

As I explained on IRC last night, the permissions in the tgz are correct. Pub files should not be world readable by another user on the same machine after an install (this is a security hole in other packages). The default permissions are set to assume the installer is either (1) the apache user or (2) in the same group as the apache user or (3) able to use chmod and chown to reset permissions. The issue in a hosted install is that suexec is required to run perl scripts, which gets the right permissions, but isn't run when accessing pub files. This is a known security hole in old TWiki, because files in pub are forced to be world readable for apache to access them. Really all accesses to pub should go through viewfile, which checks TWiki permissions.

It is simple enough to reset permissions on the directory trees as you require. But I think the default should remain paranoid-secure.


Summary BETA 5: Files in pub directory are not readable by world
ReportedBy TWiki:Main.LynnwoodBrown

SVN Range 7873 beta5
AppliesTo Engine
Component BuildScripts
Priority Urgent
CurrentState No Action Required

Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r6 - 2005-12-23 - CrawfordCurrie
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback