Default upload permissions

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Default upload permissions

Claude Paroz
Hi all,

https://code.djangoproject.com/ticket/28540 explains that unless
FILE_UPLOAD_PERMISSION is set (not set by default), uploaded file
permissions are often a mix of 0o600 and 0o644 (or another value
depending of the default umask), based on the upload method (memory or
temporary file) which itself vary depending on the file size.

My opinion is like the reporter's that those permissions should not vary
depending on the used upload method, that's why I suggested the PR
(probably not the cleanest one!):
https://github.com/django/django/pull/10116

Please read the conversation and tell us if you have anything to add
that could help make a decision. Thanks.

Claude
--
www.2xlibre.net

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/c39e0821-4634-7ae3-983b-9554021f04f4%402xlibre.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Default upload permissions

Carlton Gibson-3
Hi all, 

This has come up again. So proposal below.

https://code.djangoproject.com/ticket/30004 "Document TemporaryUploadedFile potential permission issues"

Issue is that, with the default settings, you get 0o644 permissions for "small" files and 0o600 permissions for "big" ones. 
(Depending on which upload handler is used.)

History: 

* Claude and I discussed this a bit. 
* We are agreed the inconsistent default isn't great. 
* We noted just setting FILE_UPLOAD_PERMISSION solves this. 
* Given FILE_UPLOAD_PERMISSION = None, Claude suggested a patch which would "guess" the permissions to use from the process umask.
* I didn't like this: 
   * too clever, and ultimately not our business.
   * Would work for default settings but get in the way once you started using the related file upload settings. (And so would need an opt-out.) 
* In the end we just added a note to the deployment checklist. 

This wasn't good enough. (Clearly.) 

Proposal: we should change the default for FILE_UPLOAD_PERMISSION to 0o644 (or maybe 0o664), and document that as a backward incompatible change. This would be correct for almost all users.  If you're deliberately leveraging `FILE_UPLOAD_PERMISSION = None` it's an easy switch back to the current behaviour. 

Can I ask you to comment? Thanks. 

Kind Regards,

Carlton
 



--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/d3ce3fba-340a-4379-9449-80e0c06f6aa1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Default upload permissions

René Fleschenberg
Hi,

On 12/5/18 9:54 AM, Carlton Gibson wrote:
> *Proposal*: we should change the default for FILE_UPLOAD_PERMISSION to
> 0o644 (or maybe 0o664), and document that as a backward incompatible
> change. This would be correct for almost all users.  If you're
> deliberately leveraging `FILE_UPLOAD_PERMISSION = None` it's an easy
> switch back to the current behaviour.
As someone who wasted a couple of hours because of the current behavior,
I am very much in favor of this.

The second-best solution in my opinion would be to have ``manage.py
startproject`` explicitly write the setting, either as 0o644 or as 0o600.

--
René Fleschenberg

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/97d123f7-cf49-0dae-5c2f-171cf421bea7%40fleschenberg.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Default upload permissions

Ira Abbott
I like this solution, as it applies the fix for new things moving forward with no change in
behavior to cause problem for existing tweaked in sites.  The most likely
time to run in to this problem is, in my opinion, is when varying platforms or starting fresh
projects.  Once settled in to a project/platform combination, minor OS and platform feature
patches, etc. are are unlikely to change behavior. 


On Friday, December 7, 2018 at 11:04:21 AM UTC-5, René Fleschenberg wrote:
Hi,

On 12/5/18 9:54 AM, Carlton Gibson wrote:
> *Proposal*: we should change the default for FILE_UPLOAD_PERMISSION to
> 0o644 (or maybe 0o664), and document that as a backward incompatible
> change. This would be correct for almost all users.  If you're
> deliberately leveraging `FILE_UPLOAD_PERMISSION = None` it's an easy
> switch back to the current behaviour.
As someone who wasted a couple of hours because of the current behavior,
I am very much in favor of this.

The second-best solution in my opinion would be to have ``manage.py
startproject`` explicitly write the setting, either as 0o644 or as 0o600.

--
René Fleschenberg

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/a8ea6c6b-b04c-4160-b707-dfccd816526c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.