No, it’s very unsafe indeed, unless VM is doing something that I’m not aware of, but I don’t see how it can be, really.
I have corrected all folders and files now by adding dirUMASK and HTMLUmask to mt.config, with both set to 0022, and then deleting all previously published files/folders except the mt folder, and then republishing everything.
However, it would seem that someone who did not know MT and it’s installation quite so well could easily end up in a world of trouble with the default install permissions.
i’ll wait until later and if Eric or Joe, or Jamie don’t reply I’ll add it to the issue tracker.
Feel free to move this to the issue tracker if you want to. If that isn’'t possible, then also feel free to delete this thread entirely and redo it as an issue. I’ll keep an eye on it over on the tracker.