DokuWiki

It's better when it's simple

User Tools

Site Tools


install:permissions

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
install:permissions [2017-06-12 16:38] 85.152.21.144install:permissions [2023-12-12 16:17] (current) – Write access isn't enough, since that makes the DokuWiki pages load very slowly. antwoorden
Line 1: Line 1:
 ====== Setting up file permissions ====== ====== Setting up file permissions ======
  
-[[..:DokuWiki]] stores its data in plain text files. To be able to do this, DokuWiki needs sufficient permissions to write to these files. At the same time, leaving the permissions too loose can introduce security risks.+[[:DokuWiki]] stores its data in plain text files. To be able to do this, DokuWiki needs sufficient permissions to write to these files. At the same time, leaving the permissions too loose can introduce security risks.
  
 DokuWiki is executed by PHP, so the PHP process needs to be able to write to these files.  The PHP process usually runs with the permissions of the webserver, so the webserver needs to be able to write to these files. DokuWiki is executed by PHP, so the PHP process needs to be able to write to these files.  The PHP process usually runs with the permissions of the webserver, so the webserver needs to be able to write to these files.
Line 11: Line 11:
   * ''lib/tpl'' directory must be writable for the webprocess to install templates   * ''lib/tpl'' directory must be writable for the webprocess to install templates
  
-The following files are copied by the installer.php from the respective *.dist files and given the correct permissions for the web process automatically:+The following files are copied by the ''install.php'' from the respective *.dist files and given the correct permissions for the web process automatically:
   * ''conf/'' directory, following files must be writable by the web process:    * ''conf/'' directory, following files must be writable by the web process: 
-     * ''local.php'' (and ''local.php.bak'') for the [[..:installer]] and for subsequent web configuration to work. +     * ''local.php'' (and ''local.php.bak'') for the [[:installer]] and for subsequent web configuration to work. 
-     * ''users.auth.php'' and ''acl.auth.php'' for the [[..:ACL]] web configuration and [[plugin:usermanager]] to work.+     * ''users.auth.php'' and ''acl.auth.php'' for the [[:ACL]] web configuration and [[plugin:usermanager]] to work.
      * ''plugins.local.php'' (and ''plugins.local.php.bak'') for the [[plugin:extension|Extension Manager]]      * ''plugins.local.php'' (and ''plugins.local.php.bak'') for the [[plugin:extension|Extension Manager]]
 +
 ===== Windows (using Microsoft IIS) ===== ===== Windows (using Microsoft IIS) =====
  
-To make the files in the ''data'' and ''conf'' directory writable you need to give "Write" access to the +To make the files in the ''data'' and ''conf'' directory writable you need to give "Modify" access to the 
-Internet Guest Account (''IUSR_//computername//'') or the appropriate web server group (like ''IIS_WPG''). This is done through the right-click context menu on folders and files choosing "Properties" and selecting the "security" tab.+Internet Guest Account (''IUSR'') or the appropriate web server group (like ''IIS_WPG''). This is done through the right-click context menu on folders and files choosing "Properties" and selecting the "security" tab.
  
 A good description with screenshots is available [[http://www.enewsletterpro.com/support/permissions.asp|here]]. A good description with screenshots is available [[http://www.enewsletterpro.com/support/permissions.asp|here]].
Line 33: Line 34:
  
 Note: Check out the web platform installer v3.0 for the necessary components and add IIS:IP and Domain Restrictions (under products) Note: Check out the web platform installer v3.0 for the necessary components and add IIS:IP and Domain Restrictions (under products)
-asdf+
 Running **Windows Server 2008, R2 Standard.  IIS 7.5** this worked: \\ Running **Windows Server 2008, R2 Standard.  IIS 7.5** this worked: \\
 Add a user as described above with the name: COMPUTERNAME\IUSER_COMPUTERNAME and give them full control.  The Add a user as described above with the name: COMPUTERNAME\IUSER_COMPUTERNAME and give them full control.  The
Line 73: Line 74:
     $group = $grp['name'];     $group = $grp['name'];
 }else{ }else{
-    // try to create a file and read it'ids+    // try to create a file and read its ids
     $tmp = tempnam ('/tmp', 'check');     $tmp = tempnam ('/tmp', 'check');
     $uid = fileowner($tmp);     $uid = fileowner($tmp);
Line 103: Line 104:
 | ''0700'' | ''0600'' | read/write for owner only. Owner must be the same as the PHP process user. | | ''0700'' | ''0600'' | read/write for owner only. Owner must be the same as the PHP process user. |
 | ''0770'' | ''0660'' | read/write for owner and group. The PHP process user needs to be in the user group | | ''0770'' | ''0660'' | read/write for owner and group. The PHP process user needs to be in the user group |
-| ''0777'' | ''0666'' | read/write for everyone. **Dangerous** everybody with access to the server may write and delete your files. Use only as last resort on trusted machines. |+| ''0777'' | ''0666'' | read/write for everyone. **Dangerous** because everybody with access to the server may write and delete your files. Use only as last resort on //trusted// machines, NOT on a cheap shared hosting server. |
  
 ==== Which permissions to set? ==== ==== Which permissions to set? ====
Line 135: Line 136:
 by DokuWiki.  See [[tips:fixperms.php]] for a possible solution. by DokuWiki.  See [[tips:fixperms.php]] for a possible solution.
  
 +==== Tip: Using the setgid Bit ====
  
- 
-==== Tip: Using the setgid Bit ==== 
 If you have commandline access to your server, you can use the ''setgid'' bit to retain permissions to delete files below the ''data/'' directory although they were created by the web server. On directories where the ''setgid'' bit is set, newly created files/directories belong to the same group the directory with the ''setgid'' belongs to. The following example shows how to achieve such a setup for the user ''www-data'' who belongs to the group ''foo'': If you have commandline access to your server, you can use the ''setgid'' bit to retain permissions to delete files below the ''data/'' directory although they were created by the web server. On directories where the ''setgid'' bit is set, newly created files/directories belong to the same group the directory with the ''setgid'' belongs to. The following example shows how to achieve such a setup for the user ''www-data'' who belongs to the group ''foo'':
  
   * data directory:   * data directory:
-    * ''yourwiki> chmod -R 775 data/''+    * ''yourwiki> chmod -R g=rwX,u=rwX,o=rX data/''
     * ''yourwiki> chown -R www-data:foo data/''     * ''yourwiki> chown -R www-data:foo data/''
   * everything below the data directory:   * everything below the data directory:
Line 148: Line 148:
  
 In order to fully retain correct permissions, you must also change [[config:dmode|dmode]] to 02775 or similar so that newly created directories will also get the ''setgid'' bit set correctly. In order to fully retain correct permissions, you must also change [[config:dmode|dmode]] to 02775 or similar so that newly created directories will also get the ''setgid'' bit set correctly.
- 
  
  
install/permissions.1497278296.txt.gz · Last modified: 2017-06-12 16:38 by 85.152.21.144

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki