This is a static dump of issues in the old "Flyspray" bugtracker for DokuWiki. Bugs and feature requests are now tracked at the issue tracker at Github.

Closed
Fixed

FS#1517 "local.php" only with filemod 0644 instead of 0600

Security

2008-10-20 dg8ngn

If you live on a multihomed UNIX machine you want to use filemod 0644 instead of 0600. This is very important if you have to use "safehackmode" on a UNIX machine because your plain text login password is saved in "local.php".

Currently it is not possible to initially set 0600 file permissions on a new Dokuwiki-Setup using the installscript "install.php". It is needed if you use more complex ACL-file permissions on a machine with the ZFS-filesystem (file permissions can't be changed by user).
2009-01-19 ChrisS

Can you explain your concern a little more and what you are requesting?
Are you asking to be able to set the file permissions of local.php as part of install.php?
2009-01-19 ChrisS

Actually, its ok, I think I've got it.

For the safe mode hack, your ftp authentication credentials are stored in local.php, which may well be world readable and therefore very poor security.

I wonder if in addition to the above facility, it is sensible to encrypt or encode the password at least to provide a little obscurity.
2009-01-19 dg8ngn

I remember the following problem:

I install a dokuwiki on a multi-homed unix platform and want to set filepermissions 0600 for "local.php". You can set "0600" at the administration backend which will set 0600 for NEW files but not existing files as "local.php". I can't login to the administration backend without existing "local.php". A typical "the chicken or the egg dilemma" :)

Unfortunately I can't change filepermissions of "local.php" as the file is created by the webserver user (Safemodehack).

Additionally encrypting the password would be fine.
2009-01-19 ChrisS

I'm pushing a patch to obscure passwords in local.php(*). We won't be implementing any change to install.php to specify file permissions for local.php. Installations with special requirements like this should be carried out using the manual installation instructions.

(*) DISCLAIMER: This isn't intended to be security in any meaningful sense, but simply to ensure they aren't in plain sight.
2009-01-27 oiv

A problem still exists with local.php
The permissions are changed back to apache default and system default umask. In my case nobody and 644
This does not allow any edits to local.php other than from a php script. This means that if DokuWiki configured somehow to an unusable state you need to have a script to either do a chmod or to delete local.php