Default upload permissions

Discussion:

Claude Paroz

2018-07-13 16:19:20 UTC

Hi all,

https://code.djangoproject.com/ticket/28540 explains that unless
FILE_UPLOAD_PERMISSION is set (not set by default), uploaded file
permissions are often a mix of 0o600 and 0o644 (or another value
depending of the default umask), based on the upload method (memory or
temporary file) which itself vary depending on the file size.

My opinion is like the reporter's that those permissions should not vary
depending on the used upload method, that's why I suggested the PR
(probably not the cleanest one!):
https://github.com/django/django/pull/10116

Please read the conversation and tell us if you have anything to add
that could help make a decision. Thanks.

Claude
--
www.2xlibre.net

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+***@googlegroups.com.
To post to this group, send email to django-***@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/c39e0821-4634-7ae3-983b-9554021f04f4%402xlibre.net.
For more options, visit https://groups.google.com/d/optout.

Carlton Gibson

2018-12-05 08:54:47 UTC

Permalink

Hi all,

This has come up again. So proposal below.

https://code.djangoproject.com/ticket/30004 "Document TemporaryUploadedFile
potential permission issues"

Issue is that, with the default settings, you get 0o644 permissions for
"small" files and 0o600 permissions for "big" ones.
(Depending on which upload handler is used.)

History:

* Claude and I discussed this a bit.
* We are agreed the inconsistent default isn't great.
* We noted just setting FILE_UPLOAD_PERMISSION solves this.
* Given FILE_UPLOAD_PERMISSION = None, Claude suggested a patch which would
"guess" the permissions to use from the process umask.
* I didn't like this:
* too clever, and ultimately not our business.
* Would work for default settings but get in the way once you started
using the related file upload settings. (And so would need an opt-out.)
* In the end we just added a note to the deployment checklist.

This wasn't good enough. (Clearly.)

*Proposal*: we should change the default for FILE_UPLOAD_PERMISSION to
0o644 (or maybe 0o664), and document that as a backward incompatible
change. This would be correct for almost all users. If you're deliberately
leveraging `FILE_UPLOAD_PERMISSION = None` it's an easy switch back to the
current behaviour.

Can I ask you to comment? Thanks.

Kind Regards,

Carlton

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+***@googlegroups.com.
To post to this group, send email to django-***@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/d3ce3fba-340a-4379-9449-80e0c06f6aa1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

René Fleschenberg

2018-12-07 16:04:04 UTC

Permalink

Hi,

Post by Carlton Gibson
*Proposal*: we should change the default for FILE_UPLOAD_PERMISSION to
0o644 (or maybe 0o664), and document that as a backward incompatible
change. This would be correct for almost all users. If you're
deliberately leveraging `FILE_UPLOAD_PERMISSION = None` it's an easy
switch back to the current behaviour.

As someone who wasted a couple of hours because of the current behavior,
I am very much in favor of this.

The second-best solution in my opinion would be to have ``manage.py
startproject`` explicitly write the setting, either as 0o644 or as 0o600.
--
René Fleschenberg

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+***@googlegroups.com.
To post to this group, send email to django-***@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/97d123f7-cf49-0dae-5c2f-171cf421bea7%40fleschenberg.net.
For more options, visit https://groups.google.com/d/optout.

Continue reading on narkive:

Search results for 'Default upload permissions' (Questions and Answers)

replies

errors using a php upload script permission denied on my server.?

started 2008-03-24 12:49:26 UTC

programming & design

replies

how do i change te permison on my files when i upload them linux?

started 2006-05-04 08:58:38 UTC

programming & design

replies

When you upload a website to a host...?