Recent Changes - Search:

Cookbook

PmWiki

pmwiki.org

Cookbook /

DirectoryAndFilePermissions

Summary: Explains which directories and files need to be readable, writable, and servable by the webserver.
Version: 2006-12-05
Prerequisites:
Status: Initial version
Maintainer:
Discussion: DirectoryAndFilePermissions-Talk
Categories: Security Administration

Description

Explains which directories and files need to be readable, writable, and servable by the webserver.

Questions answered by this recipe

  • Is there a place somewhere that says what permissions the PmWiki folders should have?
  • What files and directories need to be "servable" by the webserver?

Answers

Yes, see File permissions - PmWiki's settings for file and directory permissions in a typical Unix environment .

Also, see the following

First, some terms. For the purpose of this document,

  • A file is readable if the webserver can read the file from the disk.
  • A file is writable if the webserver can create or modify the file.
  • A file is servable if the webserver can read the file and deliver it to the browser.

Readable directories

All PmWiki directories should be readable, although the docs/ directory doesn't need to be readable by the webserver.

Writable directories

The wiki.d/ always needs to be writable because that's where wiki pages are stored.

If uploads are enabled, the uploads/ directory needs to be writable so uploaded files can be stored. Note that it only needs to be writable when files will uploaded with ?action=upload. Conceivably an administrator could enable uploads and have the directory non-writable so Attach: syntax would work for existing "attached" files.

PmWiki also needs a writable directory for session data. Ideally this directory will be somewhere that's outside of the web hierarchy. The default directory for sessions (usually /tmp/) is typically set globally in PHP's global configuration file (php.ini). You can also use session_save_path() to identify the directory to be used. Make sure the directory is writable by the webserver.

Servable directories

At minimum, one file and one "directory tree" (a directory and all of its subdirectories) will be servable. The one file (pmwiki.php or a wrapper script) needs to be servable from the main directory. The one directory tree is the pub/ directory and all directories below it. The pub/ directory exists specifically for publicly-accessible files, so obviously it's always servable.

The uploads/ directory tree is typically servable, but it doesn't need to be. You can configure your wiki with

$EnableDirectDownload = 0;

to cause files in the uploads/ tree to be delivered "through" PmWiki and then the files themselves don't need to be servable.

Setting permissions

This isn't an easy subject to explain because, for example, knowing that a directory of file has "755" or "644" permissions is not enough information to tell if permissions are correct. Determining correct permissions will depend on other attributes. (Is this a regular file or directory? Is it owned by the webserver's UID or GID or your UID/GID or some other UID/GID?) Permissions will be different if you used the method "for a slightly more secure installation", for example.

Put another way, how you set permissions is highly dependent upon how your server is configured.

Here are sample directory and file permissions from a freshly-installed copy of PmWiki that was installed using the "slightly more secure" (2777) method: 

[drwxr-xr-x]  pmwiki
|-- [-rw-r--r--]  README.txt
|-- [drwxr-xr-x]  cookbook
|   |-- [-rw-r--r--]  .htaccess
|   `-- [-rw-r--r--]  (all files)
|-- [drwxr-xr-x]  docs
|   `-- [-rw-r--r--]  .htaccess
|-- [-rw-r--r--]  index.php
|-- [drwxr-xr-x]  local
|   |-- [-rw-r--r--]  .htaccess
|   `-- [-rw-r--r--]  config.php
|-- [-rw-r--r--]  pmwiki.php
|-- [drwxr-xr-x]  pub
|   |-- [drwxr-xr-x]  css
|   |-- [drwxr-xr-x]  guiedit
|   |   `-- [-rw-r--r--]  (all files)
|   `-- [drwxr-xr-x]  skins
|       |-- [drwxr-xr-x]  pmwiki
|       |   `-- [-rw-r--r--]  (all files)
|       `-- [drwxr-xr-x]  print
|           `-- [-rw-r--r--]  (all files)
|-- [drwxr-xr-x]  scripts
|   |-- [-rw-r--r--]  .htaccess
|   `-- [-rw-r--r--]  (all other files)
|-- [drwxrwsr-x]  uploads
|   `-- [drwxrwxr-x]  Main
|       `-- [-rw-rw-r--]  (all written files)
|-- [drwxrwxr-x]  wiki.d
|   `-- [-rw-rw-r--]  (all written files)
`-- [drwxr-xr-x]  wikilib.d
    `-- [-rw-r--r--]  (all files)

Notes

Release Notes

This is the initial release.

See Also

  • File permissions - PmWiki's settings for file and directory permissions in a typical Unix environment
  • PHP - PHP windows installation and configuration for PmWiki
  • InstallOnIIS - How to install PmWiki on IIS v6 or v7

Contributors

Comments

See discussion at DirectoryAndFilePermissions-Talk

User notes? : If you use, used or reviewed this recipe, you can add your name. These statistics appear in the Cookbook listings and will help newcomers browsing through the wiki.

Edit - History - Print - Recent Changes - Search
Page last modified on September 02, 2012, at 11:22 PM