DokuWiki 将其数据存储在纯文本文件中. 为此，DokuWiki需要足够的权限才能写入这些文件. 同时，将权限设置得太宽松会带来安全风险.

DokuWiki 由PHP执行，因此PHP进程需要能够写入这些文件. PHP进程通常在Web服务器的权限下运行，因此Web服务器需要能够写入这些文件.

必须修改以下权限才能使各个DokuWiki函数正常工作:

• data/ 和 data/tmp/ 目录: 这些目录中及其下的所有文件都必须可由Web进程写入, 以使得DokuWiki正常工作.
• lib/plugins/ 目录: 该目录必须可由Web进程写入，以便 扩展管理器 正常工作
• lib/ 目录: 此公共目录必须为755可读权限. 才能显示样式表.
• lib/tpl 目录必须是可写的webprocess安装模板

install.php 从相应的 *.dist 文件复制以下文件并自动为Web进程赋予正确的权限:

• conf/ 目录中，Web进程必须可写入以下文件:
  • local.php (和 local.php.bak) 的 installer 安装程序和后续的Web配置正常工作.
  • users.auth.php and acl.auth.php 为 ACL Web配置和 用户管理器 正常工作.
  • 扩展管理器 的plugins.local.php (和 plugins.local.php.bak).

为了使 data 和 conf 目录中的文件可写, 您需要对Internet来宾帐户 (IUSR_computername) 或适当的Web服务器组(例 IIS_WPG) 进行 “Write” 访问. 通过right-click右键单击文件夹和文件上的上下文菜单，选择 “Properties” 并选择 “security” 选项卡，可以完成此操作.

此处提供了有关屏幕截图的详细说明.

Note: If you are running PHP under IIS6 with the FastCGI module FastCGI Extension for IIS 6.0 the user account that needs the permissions will most likely be “NETWORK SERVICE” rather than the Internet Guest Account

For IIS 7/7.5 this will be the application pools account. It is unclear if you can add this via the GUI. Try the following:

• Enter IIS APPPOOL\YourAppPoolName in the Select User or Groups dialog box which is accessible by clicking Add…
• If this doesn't work, consider using the “Users” group local to the machine. This will generally include the Application Pool account. However, it will include any other account added to this local group on the machine, so if that includes users who you would not normally want to have these permissions, this is a less viable option.
• If you can't find or add the account via the GUI, consider the 'icacls' command line tool: icacls c:\pathtodirectory /grant “IIS AppPool\yourAppPoolName”:(OI)(CI)F –This will grant full control with propagation to the specified directory. For more info, google ICACLS.

Add this via the GUI: http://technet.microsoft.com/en-us/library/cc771170%28v=ws.10%29.aspx

Note: Check out the web platform installer v3.0 for the necessary components and add IIS:IP and Domain Restrictions (under products)

Running Windows Server 2008, R2 Standard. IIS 7.5 this worked:
Add a user as described above with the name: COMPUTERNAME\IUSER_COMPUTERNAME and give them full control. The Full Computer Name is ComputerName.Domain.com and the Computer Name was just ComputerName without the domain. Used the Computer Name rather than the Full Computer Name.

This will apply if you install DokuWiki on a Linux, MacOS X or other Unix-like system. It is most probably also true for rented web space.

Note: under Linux additional file system ACLs (FACL) may apply, confer the commands “getfacl” and “setfacl” – file permissions as described below may be meaningless if there are no rights according to FACLs.

This is not the place to explain the UNIX file permission system in detail. See Wikipedia for this. Here is just a short refresher:

• Permissions for a file are dependent of the file's owner and group and the user who tries to access the file
• There are permissions for read, write and execute
• Each UNIX process runs with the permissions of an OS user and his/her groups
• The web server is a UNIX process
• PHP usually runs as part of the web server
• DokuWiki will run with the permissions of the PHP processor
• DokuWiki needs read, write and execute permissions for directories it needs to create files in
• DokuWiki needs read and write permissions for files it needs to write to
• DokuWiki needs read only permissions for files and directories it doesn't need to write to

To find the user and group your PHP process (web server) run under you could try to run the following PHP script:

<?php
 
if(function_exists('posix_geteuid')){
    // use posix to get current uid and gid
    $uid   = posix_geteuid();
    $usr   = posix_getpwuid($uid);
    $user  = $usr['name'];
    $gid   = posix_getegid();
    $grp   = posix_getgrgid($gid);
    $group = $grp['name'];
}else{
    // try to create a file and read it's ids
    $tmp = tempnam ('/tmp', 'check');
    $uid = fileowner($tmp);
    $gid = filegroup($tmp);
 
    // try to run ls on it
    $out = `ls -l $tmp`;
    $lst = explode(' ',$out);
    $user  = $lst[2];
    $group = $lst[3];
    unlink($tmp);
}
 
echo "Your PHP process seems to run with the UID $uid ($user) and the GID $gid ($group)\n"; ?>

Alternatively, you can use short script with phpinfo(), see section User/Group in output:

<?php
phpinfo();
?>

Here are the most commonly used values for setting permissions on directories and files.

So, how should you set the permissions of the directories mentioned above? In general you should try to set the permissions as restrictive as possible, but there is no general rule which permissions you need to set for your system.

If you have root (super user rights) you can change the owner of files and directories. This means you can change the owner of the DokuWiki files to the web server user (e.g. www-data or nobody) and set the permissions to webserver only access. E.g. 0600 for files and 0700 for directories.

If you are a normal user you may be a member of the web server group and can change the files to be owned by this group. Then set the files and directories to be writable by this group. E.g. 0660 for files and 0770 for directories.

If you are alone on the server or running in a completely trusted environment you can simply change the permissions to give everyone access. E.g. 0666 for files and 0777 for directories.

If you're running on a shared web server it is recommended to contact your web server administrator or hosting support and ask for help and recommendations. Point them to this page and they should know what you need to do.

Note: When you found the correct settings for your directories you should change the fmode and dmode settings to reflect these settings.

On the command line use chmod for changing permissions, chown for changing the owner of files and dirs and chgrp for changing the group. (Note that chown and chgrp may not be available or function as expected if you use a shared web hosting provider.)

When accessing your server through FTP, consult the manual of your FTP tool. Most graphical FTP tools have a dialog to set permissions (often to be found in the right-click context menu).

On some UN*X-like systems, you may be able to use filesystem ACLs to allow the PHP user to write to the files as well. For Sun's ZFS, see the Solaris ZFS Administrator's guide for details. For POSIX-draft compliant filesystems, like Linux ext2/3 or Sun's UFS on Solaris 8 or later, see the man pages for setfacl and getfacl.

Check with your system administrator – some backup systems will ignore ACLs on files. If available, ACLs are more secure than adding the PHP user to your group, giving away the files to the PHP user, or making the files world-writable.

In certain situations, you may find that you are unable to delete or modify files created by DokuWiki. See fixperms.php for a possible solution.

If you have commandline access to your server, you can use the setgid bit to retain permissions to delete files below the data/ directory although they were created by the web server. On directories where the setgid bit is set, newly created files/directories belong to the same group the directory with the setgid belongs to. The following example shows how to achieve such a setup for the user www-data who belongs to the group foo:

• data directory:
  • yourwiki> chmod -R g=rwX,u=rwX,o=rX data/
  • yourwiki> chown -R www-data:foo data/
• everything below the data directory:
  • yourwiki/data> chmod 2775 {attic,cache,index,locks,media,meta,pages,tmp}
  • yourwiki/data> chown www-data:foo {attic,cache,index,locks,media,meta,pages,tmp}

In order to fully retain correct permissions, you must also change dmode to 02775 or similar so that newly created directories will also get the setgid bit set correctly.

See this FAQ entry.