Safe Mode (1.5 vs 2.0)

WordPress can’t created subdirectories/files in the subdirectories.

Why not? If WordPress creates the dirs then they’re surely writeable by Apache (and therefore PHP), so why can’t WordPress write to them? Unless I’m not understanding something about safe mode…

Safe mode prevents directories from being created. You can download the following:

https://www.schestowitz.com/temp/upload_dirs.zip

Upload everything to the /uploads directory and ensure ownership is yours rather than apache/root. The directories are already set to 777 in the archive. You should be able to switch safe mode back on and upload file thereafter, I believe.

An empty zip?

No, 3+36 directories therein. What are you using to open it?

WinZip 9.0. It says there are folders inside, but doesn’t want to show them.

Try command-line unzip.exe or pkunzip.exe. Maybe just create these manually.

/2005
/2005/1
…
/2005/12
…
/2006
…

Set ownership and permission to make them possible to write onto.

Well, thank you. WP keeps telling me things like this.

‘
Warning: move_uploaded_file(): SAFE MODE Restriction in effect. The script whose uid is 1301 is not allowed to access /srv/www/htdocs/web335/html/uwg/wp-content/uploads/2005/12 owned by uid 30 in /srv/www/htdocs/web335/html/uwg/wp-admin/admin-functions.php on line 1757
The uploaded file could not be moved to .’

I know how to change CHMOD, but how the heck do I influence OWNERSHIP?

That command would be CHOWN(?). I don’t know too much about it and i don’t have shell access to my server at the moment. Is it possible to change the ownership with an FTP client.

WP still tells me “File is empty. Please upload something more substantial.” when i try to upload things into the zipped directiores i uploaded (chmod 777). I really thought this empty-directories-trick would have worked.

Ok, so I tried out what you suggested here… creating the directories, setting the appropriate ownership and permissions, and then turning safe mode back on. The results aren’t the best. Anyway, first of all, here’s what I did to set up the directories and set the perms:

# world-writeable directories are bad
chmod 755 wp-content
cd wp-content
chmod 755 cache
chown -R me:me cache
cd cache

# full salted directory path not shown
chmod 755 c4ca4238a...
chmod 755 userlogins users
cd c4ca4238a...
chmod 755 category options pages
cd ../..

# set up 10 years' worth of directories
cd uploads
for YEAR in 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
do
for MONTH in 1 2 3 4 5 6 7 8 9 10 11 12
do
mkdir -p "${YEAR}/${MONTH}"
done
done

cd ..
chown -R me:me uploads
chmod 755 uploads

Now file uploads work, but strangely:

-rwxrwxrwx 1 apache apache 13364 Dec 28 16:17 P.jpg*
-rw-r--r-- 1 apache apache 2205 Dec 28 16:17 P.thumbnail.jpg

Note that the uploaded file is created with permissions of 777, but the thumbnail generated by WordPress has permissions of 644. In both cases the files are owned by the Apache user/group. There are no problems deleting these files. I am a little surprised that the created files are owned by apache:apache, because my reading of the safe mode documentation — https://www.php.net/features.safe-mode — leads me to believe that created files should be owned by me:me (ie. the owner of the scripts) even though created directories are owned by the Apache user/group. By using the phpinfo() function I’ve been able to confirm that safe mode is definitely enabled in the directory where my WordPress install resides; and my WordPress scripts are all definitely owned by me:me.

The cache, on the other hand, doesn’t seem to work at all. I tried clearing out the cache and no matter how many pages I visit no new object files are written to the cache.

Finally, for the weirdest part of all; with the wp-content permissions set to 755 I couldn’t view my weblog at all! The admin pages worked, but all the public pages returned zero byte non-HTML pages (that is, my browser attempted to download them instead of displaying them). I set the permissions back to 777 and the problem went away. Then I set them back to 755 and everything continued to work. I suspect that there is something fishy in the cache code. I am going to take a look at it.

Looks like I spoke too soon about file uploads working. I get the failed to open stream: Permission denied error on attempting to upload. I tried setting the suid bit on the directory (chmod 4755) but got the same error. So I set the perms back to 0755 and set the ownership to apache:apache and got SAFE MODE Restriction in effect. The script whose uid is blah is not allowed to access error. Seems the only way I can get uploads to work is to make the directory permissions 777.

I looked into using ACLs to grant perms only to the Apache user/group but support for ACLs is not available on my server.

So looks like I have a choice between two kinds of security hole:

1. Either I turn off safe mode which means that any potential security hole in WordPress can have a greater impact; and apart from that I don’t like turning off safe mode for any of the virtual hosts on the server because of the “shared server” security issues.

2. Keep safe mode turned on, but leave a whole stack of world-writeable directories around the place, which is in itself sloppy security practice.

I now suspect that the reason the cache files are being created is because the directory permissions aren’t 777 (same problem: sloppy permissions).

In order to get the cache working under safe mode, I’ve had to chmod all of the directories to 777, as well as changing the ownership of the wp_object_cache.lock file to apache:apache.

Is there any way of getting the upload function working without CHOWN?

The panel keeps telling me:
Warning: move_uploaded_file(): SAFE MODE Restriction in effect. The script whose uid is 1301 is not allowed to access /srv/www/htdocs/web335/html/uwg/wp-content/uploads/2005/12 owned by uid 30 in /srv/www/htdocs/web335/html/uwg/wp-admin/admin-functions.php on line 1757
The uploaded file could not be moved to .

I have no shell access and CHOWN is not enabled.
Anyway, I set all direcories to CHMOD 777.

If there is no solution to that, the only remedy for my site is to return to version 1.5.2

When safe mode is turned on, PHP will refuse to move the uploaded file into the appropriate directory (ie. wp-content/uploads/2005/12/) unless the directory is owned by the same user as is running the script.

In your case, for some reason your upload directory is owned by user 1301 but your admin-functions.php script is owned by user 30. Even if you have totally open permissions (777) PHP will refuse to move the file until you make the uids match (using chmod).

Presumably you could also get this to work by uploading the scripts and the directories using your FTP client; that way they’d all have to have the same uid (ie. the uid of the user you’re logged in as via FTP).

Er… That’s how I put the scripts into the webspace in the first place. I just uploaded them.

OK, I gave it a try. I created a folder /uploads/2005/ on my PC and sent it up. It’s now owned by user 1301 and group 102, just like the script.

The admin panels answer is:
Unable to create directory /srv/www/htdocs/web335/html/uwg/wp-content/uploads/2005/12. Is /srv/www/htdocs/web335/html/uwg/wp-content/uploads/2005 writable?

Of course, its writeable, you stupid machine!

You’ll need to create and upload not only 2005, but the subdirectories as well (1, 2, 3 etc). Same for 2006 etc.