I'm talking about the directory Bugzilla is installed in, not the Bugzilla subdirectory of it. I think checksetup.pl should give the right permissions to the Bugzilla directory so that it is neither too open (rwxrwxrwx -- giving full access to local users) nor too protected (rwx------ -- possibly giving no access to the web server).
This makes sense. It's a FAQ, even. :)
Flags: blocking2.20? → blocking2.20+
Target Milestone: --- → Bugzilla 2.20
Yeah, that does make sense. There's a larger chance that that will fail to actually work (because the /var/html/www directory perms might not let me change the Bugzilla directory perms), but it's still a good thing to attempt to do. I'd guess that the perms should be... 750? Or if we don't have a good webservergroup, then 755.
Assignee: zach → nobody
"If it's not a regression from 2.18 and it's not a critical problem with something that's already landed, let's push it off." - Dave
This has Myk's [wanted for 2.20] stamp on it -- requesting blocking2.22.
I'll take this for both 2.20 and 2.22 if someone does it (before we branch for 2.22), but I won't hold the release for it.
Flags: blocking2.22? → blocking2.22-
Whiteboard: [wanted for 2.20]
Created attachment 203892 [details] [diff] [review] Fix permissions on "." Call fixPerms on "." during the rest of the permissions checking.
Comment on attachment 203892 [details] [diff] [review] Fix permissions on "." >+ fixPerms('.', $<, $webservergid, 027, 1); If we pass '.' to fixPerms(), then the perms for .htaccess will be automatically set, right? Then we could remove the line fixing .htaccess separately.
(In reply to comment #7) > If we pass '.' to fixPerms(), then the perms for .htaccess will be > automatically set, right? No, I don't think so... why would that happen?
Comment on attachment 203892 [details] [diff] [review] Fix permissions on "." You're handing 1 as do_dirs parameter to fixPerms, which makes it steamroll over all permissions that have been finely tuned in the preceding lines. Don't do that :) I think that the do_dir parameter should be 0. (Comment 7 doesn't apply anymore then, so the .htaccess fixPerms call needs to stay.)
Attachment #203892 - Flags: review?(mkanat) → review-
Mike, are you willing to take another stab at this?
Unfortunately not in the short term, sorry.
Only security and dataloss fixes will be accepted on the 2.20 branch.
Assignee: nobody → installation
Target Milestone: Bugzilla 2.20 → Bugzilla 2.22
It's really easy to fix this while I'm writing bug 346552, so I'm doing it there, for the tip.
Depends on: 346552
Whiteboard: [blocker will fix on tip]
Whiteboard: [blocker will fix on tip] → [blocker fixed it on tip]
I for one wouldn't mind setting this bug's target milestone to 2.24 and marking it FIXED.
Okay, sounds good to me. :-) Fixed by blocker.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Whiteboard: [blocker fixed it on tip] → [fixed by blocker]
Target Milestone: Bugzilla 2.22 → Bugzilla 3.0
You need to log in before you can comment on or make changes to this bug.