Explains which directories and files need to be readable, writable, and servable by the webserver.
Questions answered by this recipe
- Which directories and files need to be readable, writable, and servable by the webserver?
- Is there a place somewhere that says what permissions the PmWiki folders should have?
- Either pmwiki.php or a wrapper script needs to be "servable" (invokable by browsing to a location) to a browser by the webserver.
- The pub/ directory and all of its subdirectories need to be "servable" to a browser.
- One directory, wiki.d/, needs to be writable by the webserver.
- Another directory, uploads/, needs to be writable for file-upload capability.
- Except for docs/, all other directories and files need only be readable by the webserver.
File permissions - PmWiki's settings for file and directory permissions in a typical Unix environment .
First, here are some terms used in this document.
- A file or directory is readible if the webserver can read it from the disk.
- A file or directory is servable if the webserver can read it and deliver its contents to the browser.
PHP script files need to be readable but their contents should not be servable.
CSS stylesheet files and image files are examples of content that needs to be servable.
- A file the webserver can create or modify. A directory where the webserver can create or modify a file.
- web document tree
- The part of the filesystem where directories and files are servable by the webserver.
All PmWiki directories should be readable, although the docs/ directory doesn't need to be readable by the webserver.
The wiki.d/ directory always needs to be writable because that's where wiki pages are stored.
If uploads are enabled, the uploads/ directory needs to be writable so uploaded files can be stored. Note that it only needs to be writable when files will be uploaded with ?action=upload. Conceivably an administrator could enable uploads and have the directory non-writable so Attach: syntax would work for files that have been previously uploaded.
PmWiki also needs a writable directory for session data. Ideally this directory will be somewhere that's outside of the web document hierarchy. The default directory for sessions (usually /tmp/) is typically set globally in PHP's global configuration file (php.ini). You can also use session_save_path() to identify the directory to be used.
At minimum, one file and one "directory tree" (a directory and all of its subdirectories) will be servable. The one file (pmwiki.php or a wrapper script) needs to be servable from the main directory. The one directory tree is the pub/ directory and all subdirectories below it. The pub/ directory exists specifically as a location for publicly-accessible (servable) files.
The uploads/ directory tree is typically servable, but it doesn't need to be. You can configure your wiki with
$EnableDirectDownload = 0;
to cause files in the uploads/ tree to be delivered "through" PmWiki and then the files themselves don't need to be servable and uploads/ can be located outside the web document tree.
This isn't an easy subject to explain because, for example, knowing that a directory of file has "755" or "644" permissions is not enough information to tell if permissions are correct. Determining correct permissions will depend on other attributes. (Is this a regular file or directory? Is it owned by the webserver's UID or GID or your UID/GID or some other UID/GID?) Permissions will be different if you used the method "for a slightly more secure installation", for example.
Put another way, how you set permissions is highly dependent upon how your server is configured.
Here are sample directory and file permissions from a freshly-installed copy of PmWiki that was installed using the "slightly more secure" (2777) method:
[drwxr-xr-x] pmwiki |-- [-rw-r--r--] README.txt |-- [drwxr-xr-x] cookbook | |-- [-rw-r--r--] .htaccess | `-- [-rw-r--r--] (all files) |-- [drwxr-xr-x] docs | `-- [-rw-r--r--] .htaccess |-- [-rw-r--r--] index.php |-- [drwxr-xr-x] local | |-- [-rw-r--r--] .htaccess | `-- [-rw-r--r--] config.php |-- [-rw-r--r--] pmwiki.php |-- [drwxr-xr-x] pub | |-- [drwxr-xr-x] css | |-- [drwxr-xr-x] guiedit | | `-- [-rw-r--r--] (all files) | `-- [drwxr-xr-x] skins | |-- [drwxr-xr-x] pmwiki | | `-- [-rw-r--r--] (all files) | `-- [drwxr-xr-x] print | `-- [-rw-r--r--] (all files) |-- [drwxr-xr-x] scripts | |-- [-rw-r--r--] .htaccess | `-- [-rw-r--r--] (all other files) |-- [drwxrwsr-x] uploads | `-- [drwxrwsr-x] Main | `-- [-rw-rw-r--] (all written files) |-- [drwxrwsr-x] wiki.d | `-- [-rw-rw-r--] (all written files) `-- [drwxr-xr-x] wikilib.d `-- [-rw-r--r--] (all files)
Technically it's possible to have no wrapper script and call pmwiki.php indirectly via URL rewriting. For the sake of avoiding confusion, that type of special exception is not covered here.
Any file that doesn't need to be servable can be moved outside the document tree.
Some items distributed in the pub/ directory don't need to be servable and can be moved outside the web document tree.
The writable directories only need to be writable for content to be added. In other words, once files have been written to uploads/ or pages have been saved in wiki.d/ they can be changed to readable and content can still be served from them.
If you rearranging directories, be sure to pay special attention when you upgrade because the upgrade procedure assumes your directories are in the default locations.
The initial release.
Rework and refine.
Refine develop some more.
- File permissions - PmWiki's settings for file and directory permissions in a typical Unix environment
- PHP - PHP windows installation and configuration for PmWiki
- InstallOnIIS - How to install PmWiki on IIS v6 or v7
See discussion at DirectoryAndFilePermissions-Talk
User notes? : If you use, used or reviewed this recipe, you can add your name. These statistics appear in the Cookbook listings and will help newcomers browsing through the wiki.