Exponentcms Exponent CMS → 2.3.8

We offer only a single admin permission setting for folder and file creation (actually 2). This may be too restrictive/permissive for uploaded (public) files and patches/extensions/temp-files. In some server scenarios, file/folder permissions can keep the system from working (correctly) and it seems the only fix is to open up the (group/world) permissions. In a perfect world/setup, all files/folders within Exponent would be owned by the specific web server user and only need to be accessible by the server. However, audio (and video?) files can only be played if they are world readable. A world read/write permission (777/666) though would cause a possible security issue because it would/might allow anyone the opportunity to write/edit a file and then execute it. (though we already have some pretty strong anti-execution settings/code in place)

• We may need 2 types of folder/file permissions (actually 4) based on whether it's for an upload into the /files folder or somewhere else in the system
• We need to ensure we are always setting the folder/file permissions instead of the default of 0777 for mkdir()
• The intent would be to lock down the system (everything but the /files folder and to allow a little more (read-only) access to the /files folder and it's children, with a little more access (write) to upload files