[php-maint] Bug#811130: php5: [kfreebsd] uploaded files have gid=root

Steven Chamberlain steven at pyro.eu.org
Fri Jan 15 22:17:11 UTC 2016 

Package: src:php5
Version: 5.4.45-0+deb7u2
Severity: important
User: debian-bsd at lists.debian.org
Usertags: kfreebsd
X-Debbugs-Cc: debian-bsd at lists.debian.org

(Followup to https://lists.debian.org/debian-bsd/2016/01/msg00021.html)

This turns out to be some bug or odd behaviour of PHP when handling file
uploads on kfreebsd.  Here's a simple testcase:

<?php

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    print_r($_FILES);
    var_dump(move_uploaded_file($_FILES['foo']['tmp_name'], '.foo'));
    die();
}

?>
<html>
<body><form id="for-you" method="post" enctype="multipart/form-data">
<input name="foo" type="file" />
<input type="submit" />
</form></body>
</html>

Submitting the web form, PHP writes the uploaded file to /tmp initially,
having a random filename, and moves it to ".foo" in the web document
root at request of the PHP script.

The PHP script is *supposed* to run non-privileged for obvious
reasons.  suexec.log suggests I set that up right:

    uid: (1046/foo) gid: (1045/foo) cmd: php-fcgi-starter

And executing <?php passthru('id'); ?> confirms that is generally the
case:

    uid=1046(foo) gid=1045(foo) groups=1045(foo) 

But `stat .foo` shows the uploaded file having gid=0 instead, something
not possible to do if you have dropped privileges:

      File: `.foo'
      Size: 5         	Blocks: 9          IO Block: 4096   regular file
    Device: 735ae718h/1935337240d	Inode: 238962      Links: 1
    Access: (0644/-rw-r--r--)  Uid: ( 1046/foo)   Gid: (    0/root)
    Access: 2016-01-15 22:00:02.555410397 +0000             ^^^^^^
    Modify: 2016-01-15 22:00:02.555410397 +0000           wrong gid!
    Change: 2016-01-15 22:00:02.555410397 +0000
     Birth: -

I couldn't repeat this on a GNU/Linux machine.  Is PHP maybe not
dropping privileges properly on GNU/kFreeBSD?  (setgid,setegid issue?)
Havne't yet checked it affects regular FreeBSD also.

There seems nothing special about my /tmp:  mode 1777/drwxrwxrwt.
That end the web document root are on ZFS.

Thanks.
Regards,
-- 
Steven Chamberlain
steven at pyro.eu.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20160115/c65185bb/attachment-0001.sig>

More information about the pkg-php-maint mailing list