This comment is from http://meta.wikimedia.org/wiki/My_MediaWiki_Site_was_hacked._How%3F_What _should_I_do%3F:
"Here's another problem: It seems that a number of users are leaving the /images directory set at 777 - globally writable. This permits malicious users to take advantage of this and overwriting existing images with their own spiteful images. It should be noted that this is not a MediaWiki issue so much as it is a general permissions issue."
My question is: What is the recommended minimum permission setting?
This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message.
Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. [v.E.1]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Caplan, Hillel (US - New York) wrote:
This comment is from http://meta.wikimedia.org/wiki/My_MediaWiki_Site_was_hacked._How%3F_What _should_I_do%3F:
"Here's another problem: It seems that a number of users are leaving the /images directory set at 777 - globally writable. This permits malicious users to take advantage of this and overwriting existing images with their own spiteful images. It should be noted that this is not a MediaWiki issue so much as it is a general permissions issue."
My question is: What is the recommended minimum permission setting?
It must be writable to the web server when MediaWiki is run, or it won't be possible to upload files.
In most configurations that will mean writable by the user account 'apache' or 'www-user' or 'inetpub' or whatever that the web server runs under. Note that in this case web scripts from anyone else on the same system can also access this directory.
In other cases it may be your own user account, if the server is configured to execute scripts under the account of the owner. In that case, limited permissions to that user will forbid other users from writing to the directory.
Note that there may be additional complications when you have to do maintenance from the command line as well, as you may often be running scripts as another user.
- -- brion vibber
mediawiki-l@lists.wikimedia.org