[php-maint] Bug#811130: Bug#811130: php5: [kfreebsd] uploaded files have gid=root

Tue Feb 16 12:37:17 UTC 2016

Steven,

does it happen only with cgi (under a custom fcgi) wrapper or could you
reproduce that under different SAPI (f.e. FPM)?

Could you perhaps also attach php-fcgi-starter script and more about
your webserver configuration related to the FCGI interaction?

Cheers,
-- 
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

On Fri, Jan 15, 2016, at 23:17, Steven Chamberlain wrote:
> Package: src:php5
> Version: 5.4.45-0+deb7u2
> Severity: important
> User: debian-bsd at lists.debian.org
> Usertags: kfreebsd
> X-Debbugs-Cc: debian-bsd at lists.debian.org
> 
> (Followup to https://lists.debian.org/debian-bsd/2016/01/msg00021.html)
> 
> This turns out to be some bug or odd behaviour of PHP when handling file
> uploads on kfreebsd.  Here's a simple testcase:
> 
> <?php
> 
> if ($_SERVER['REQUEST_METHOD'] === 'POST') {
>     print_r($_FILES);
>     var_dump(move_uploaded_file($_FILES['foo']['tmp_name'], '.foo'));
>     die();
> }
> 
> ?>
> <html>
> <body><form id="for-you" method="post" enctype="multipart/form-data">
> <input name="foo" type="file" />
> <input type="submit" />
> </form></body>
> </html>
> 
> Submitting the web form, PHP writes the uploaded file to /tmp initially,
> having a random filename, and moves it to ".foo" in the web document
> root at request of the PHP script.
> 
> The PHP script is *supposed* to run non-privileged for obvious
> reasons.  suexec.log suggests I set that up right:
> 
>     uid: (1046/foo) gid: (1045/foo) cmd: php-fcgi-starter
> 
> And executing <?php passthru('id'); ?> confirms that is generally the
> case:
> 
>     uid=1046(foo) gid=1045(foo) groups=1045(foo) 
> 
> But `stat .foo` shows the uploaded file having gid=0 instead, something
> not possible to do if you have dropped privileges:
> 
>       File: `.foo'
>       Size: 5                 Blocks: 9          IO Block: 4096   regular
>       file
>     Device: 735ae718h/1935337240d   Inode: 238962      Links: 1
>     Access: (0644/-rw-r--r--)  Uid: ( 1046/foo)   Gid: (    0/root)
>     Access: 2016-01-15 22:00:02.555410397 +0000             ^^^^^^
>     Modify: 2016-01-15 22:00:02.555410397 +0000           wrong gid!
>     Change: 2016-01-15 22:00:02.555410397 +0000
>      Birth: -
> 
> I couldn't repeat this on a GNU/Linux machine.  Is PHP maybe not
> dropping privileges properly on GNU/kFreeBSD?  (setgid,setegid issue?)
> Havne't yet checked it affects regular FreeBSD also.
> 
> There seems nothing special about my /tmp:  mode 1777/drwxrwxrwt.
> That end the web document root are on ZFS.
> 
> Thanks.
> Regards,
> -- 
> Steven Chamberlain
> steven at pyro.eu.org
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
> Email had 1 attachment:
> + signature.asc
>   1k (application/pgp-signature)