Support » Plugin: SSH SFTP Updater Support » umask not honored/o+r explicitly set on files

  • Resolved tgoeg

    (@tgoeg)


    Hi!
    The 0.8.2 update made the plugin work again on newer PHP versions, so my setup is nearly perfect (see https://wordpress.org/support/topic/update-failed-unable-to-locate-wordpress-content-directory-wp-content/page/2/#post-11721413 for details).

    However, one problem remains.

    I run openssh’s sftp with
    internal-sftp -u 0027
    which works nicely when testing from the CLI.
    Files always have o-rwx set.

    When updating plugins via the webGUI and using this SSH backend, directories get created correctly o-rwx.
    However, files have o+r set, although they don’t if I simply upload a file with the sftp CLI.

    So some wordpress core or this plugin’s functionality seems to explicitly set o+r, which is completely unnecessary and no good security practice.

    Can you tell where this happens/can this be fixed in this plugin?

    I don’t think the problem is unzip not honoring permissions as mentioned in https://wordpress.org/support/topic/fail-to-make-wp-set-the-umask-i-want/ because as far as I understand, the last step to put files into place has to be an sftp put command in this config.

    Thanks in advance!
    Thomas

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author David Anderson

    (@davidanderson)

    WP core tries to set file permissions. There are some wp-config.php constants if you want to force some particular permission – FS_CHMOD_DIR, FS_CHMOD_FILE. The plugin will respect those constants.

    Thread Starter tgoeg

    (@tgoeg)

    That’s it, finally!
    Thanks a bunch.

    I set

    umask(0027);
    define( 'FS_CHMOD_DIR', ( 0755 & ~ umask() ) );
    define( 'FS_CHMOD_FILE', ( 0644 & ~ umask() ) );
    

    and now others have no permissions, and group (www-data) can only read the resulting files (and cd into dirs). Perfect. This is the definitive setup that does not seem to be documented anywhere on the whole wide Internet (I searched).

    Warning: Do not quote the parameter passed to umask or it won’t work as expected!

    Please add this to the docs so others can benefit as well!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘umask not honored/o+r explicitly set on files’ is closed to new replies.