-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Caplan, Hillel (US - New York) wrote:
This comment is from http://meta.wikimedia.org/wiki/My_MediaWiki_Site_was_hacked._How%3F_What _should_I_do%3F:
"Here's another problem: It seems that a number of users are leaving the /images directory set at 777 - globally writable. This permits malicious users to take advantage of this and overwriting existing images with their own spiteful images. It should be noted that this is not a MediaWiki issue so much as it is a general permissions issue."
My question is: What is the recommended minimum permission setting?
It must be writable to the web server when MediaWiki is run, or it won't be possible to upload files.
In most configurations that will mean writable by the user account 'apache' or 'www-user' or 'inetpub' or whatever that the web server runs under. Note that in this case web scripts from anyone else on the same system can also access this directory.
In other cases it may be your own user account, if the server is configured to execute scripts under the account of the owner. In that case, limited permissions to that user will forbid other users from writing to the directory.
Note that there may be additional complications when you have to do maintenance from the command line as well, as you may often be running scripts as another user.
- -- brion vibber