Our nightly system check discovered world-writable files in $files_dir/journals, namely:
4/articles/337
4/articles/339
4/articles/336
4/articles/342
4/articles/338
Steps I took leading up to the issue:
None we are aware of.
What I tried to resolve the issue:
I checked the umask setting in config.inc.php, but it is “0022”.
Application Version:
OJS: v3.3.0-10 running on a Debian v11.3 (“bullseye”) LAMP system, using
Linux v5.10.0-9
Apache v2.4.53
PHP (fpm-fcgi) v7.4.28
MariaDB v15.1
Additional information, such as screenshots and error log messages if applicable:
There are other submissions, which have been created earlier than the offending ones, and the permissions of these are correct (i.e., user and group “ojs” and mode 0644).
The patch does not resolve the issue. I’ve just applied the patch, restarted Apache and the PHP FPM, and submitted a file for testing. And the directory that has been created for the submission is still world-writable.
Is this a directory that was already created before you submitted a new file? If it’s just a new file you submitted, rather than a whole new submission, it’s likely that the directory had already been created before you applied the patch.
Regards,
Alec Smecher
Public Knowledge Project Team
Good point! I’m not sure why that directory should have existed, but after starting over in order to retrace my steps, the issue now appears to be fixed. Thanks a lot!