New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
You are here: Foswiki>Tasks Web>Item14640 (03 Mar 2018, GeorgeClark)Edit Attach

Item14640: Extension installer doesn't honor Store permissions masks

Priority: Normal
Current State: Confirmed
Released In: 2.1.7
Target Release: patch
Applies To: Engine
Component: Configure, FootNotePlugin
Reported By: GeorgeClark
Waiting For:
Last Change By: GeorgeClark
The Extensions installer honors the MANIFEST permissions bits when they are present.

This requires sites on servers with restrictive permissions to use the CLI to fix up permissions after installation.

Ex: Site using Apache mod_suexec to change the user/group used with the CGI scripts.
  • Apache runs under user/group www-data:www-data
  • CGI scripts runs under cgiuser:cgiuser

In this situation, pub files either have to be world readable, or www-data needs to be in the cgiuser group. This can typically be controlled by setting the Configure parameters:
$Foswiki::cfg{Store}{overrideUmask} = $FALSE;
$Foswiki::cfg{Store}{dirPermission} = 0755;
$Foswiki::cfg{Store}{filePermission} = 0644;

However, Foswiki::Configure::Package honors the MANIFEST permissions, which can result in a broken site. While the check permissions wizard can detect the issue, fixing it requires shell access.

Issue detected after installation of FootNotePlugin:
data/System/FootNotePlugin.txt 0644 Plugin doc page
pub/System/FootNotePlugin/styles.css 0660
lib/Foswiki/Plugins/ 0444 Plugin Perl module

Apache was unable to serve the styles.css file, resulting in a 403 - Forbidden response.

-- GeorgeClark - 03 Mar 2018


ItemTemplate edit

Summary Extension installer doesn't honor Store permissions masks
ReportedBy GeorgeClark
Codebase 2.1.6, 2.1.5
SVN Range
AppliesTo Engine
Component Configure, FootNotePlugin
Priority Normal
CurrentState Confirmed
TargetRelease patch
ReleasedIn 2.1.7
Topic revision: r1 - 03 Mar 2018, GeorgeClark - This page was cached on 22 Mar 2018 - 12:20.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License