php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50163 IUSR_ NTFS permissions issue on PHP 5.2.11-nts
Submitted: 2009-11-13 09:23 UTC Modified: 2013-01-08 08:08 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: be3ch at centrum dot cz Assigned: pajoye (profile)
Status: No Feedback Package: Filesystem function related
PHP Version: 5.2.11 OS: win32 only - Windows 2003 Server
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2009-11-13 09:23 UTC] be3ch at centrum dot cz
Description:
------------
Hello,
I have installed PHP 5.2.11 on Windows 2003 Server, IIS6 and FastCGI handler. For this configuration is recommended usage of non-ts version of PHP. I'm encountered a problem with this version.

If I'm using PHP 5.2.11 ts and for IUSR are on webroot directory only READ permissions, all works correctly.

If I'm using PHP 5.2.11 non-ts and for IUSR are on webroot directory only READ permissions, files functions don't work. But functions like include or require work correctly.

If I'm using PHP 5.2.11 non-ts and for IUSR are on webroot directory READ+EXECUTE permissions, all works correctly.

There are some my test results :

Web=test.com
RootPath=D:\wwwroot\testcom\www\
TestScript=http://test.com/test.php
IUSR=IUSR_testcom

1) IUSR_testcom NTFS permissions on RootPath : READ

(OK) PHP 5.2.11 ts - test script result: bool(true)
(KO) PHP 5.2.11 non-ts  - test script result: Warning: file_exists(): open_basedir restriction in effect. File(test.php) is not within the allowed path(s): (D:\wwwroot\testcom;D:\tmp\System;D:\tmp\Php) in D:\wwwroot\testcom\www\test.php on line 3 bool(false)

2) IUSR_testcom NTFS permissions on RootPath : READ + EXECUTE

(OK) PHP 5.2.11 ts - test script result: bool(true)
(OK) PHP 5.2.11 non-ts  - test script result: bool(true)

Why PHP non-ts not working correctly when on root path are only READ permissions for IUSR? FastCGI and PHP are running with impersonate.

Reproduce code:
---------------
Test script test.php source code:

<?php

var_dump(file_exists('test.php'));

?>

Expected result:
----------------
bool(true)

Actual result:
--------------
Warning: file_exists(): open_basedir restriction in effect. File(test.php) is not within the allowed path(s): (D:\wwwroot\testcom;D:\tmp\System;D:\tmp\Php) in D:\wwwroot\testcom\www\test.php on line 3 bool(false)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-11-13 10:36 UTC] pajoye@php.net
5.2 did not support ACL correctly, 5.3 does.
 [2009-11-13 10:57 UTC] be3ch at centrum dot cz
I'm think it's not problem with ACL, because with PHP 5.2.11 ts-version it works correctly and if script will be changed to FULL path :

<?php

var_dump(file_exists('D:\wwwroot\testcom\www\test.php'));

?>

it works with PHP 5.2.11 non-ts and only READ permissions correctly too.
 [2009-11-13 11:00 UTC] pajoye@php.net
Simply try it with 5.3. impersonate and ACL has been improved/fixed there.
 [2009-11-13 11:41 UTC] be3ch at centrum dot cz
Sorry, PHP 5.3.0 VC9 x86 Non Thread Safe - same problem.

Non-TS version of PHP not working correctly when on webroot directory are only READ NTFS permissions. It's working only with READ+EXECUTE.
 [2009-11-13 12:02 UTC] pajoye@php.net
Pls run:

icacls D:\wwwroot\testcom\

icacls D:\wwwroot\testcom\www\

and past the result here. So we can try to reproduce your problem with the same settings.

 [2009-11-13 12:15 UTC] be3ch at centrum dot cz
D:\wwwroot>icacls D:\wwwroot\testcom\
D:\wwwroot\testcom\ NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                    NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(R)
                    BUILTIN\Administrators:(OI)(CI)(F)
                    TEST_SERVER\G6FTPUser:(OI)(CI)(R,W,D,DC)
                    TEST_SERVER\IUSR_testcom:(OI)(CI)(R)

Successfully processed 1 files; Failed processing 0 files

D:\wwwroot>icacls D:\wwwroot\testcom\www
D:\wwwroot\testcom\www BUILTIN\Administrators:(OI)(CI)(F)
                       TEST_SERVER\G6FTPUser:(OI)(CI)(R,W,D,DC)
                       TEST_SERVER\IUSR_testcom:(OI)(CI)(R)
                       NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(R)
                       NT AUTHORITY\SYSTEM:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files
 [2009-11-14 02:34 UTC] ksingla@php.net
Can you paste the value of include_path directive (ini_get('include_path')) for each of the cases? Given that fullpath to file works with just read permissions tell that relative path test.php is getting resolved to some other path which is outside open_basedir. Strange that adding execute permission make it resolve to a different path.
 [2009-11-14 08:48 UTC] be3ch at centrum dot cz
open_basedir and include_path are for every case same :

open_basedir = D:\wwwroot\testcom;D:\tmp\System;D:\tmp\Php
include_path = .;D:\wwwroot\testcom\www;D:\wwwroot\testcom

If open_basedir is disabled (empty), result of test script with relative path is : bool(false) . Result with full path is correctly : bool(true).
 [2009-11-20 08:42 UTC] be3ch at centrum dot cz
Any progress? :)
 [2009-11-20 10:51 UTC] pajoye@php.net
I fail to reproduce this problem. No matter the OS or configuration, using 5.3 or 5.2.
 [2009-11-24 20:14 UTC] be3ch at centrum dot cz
You can try this procedure to reproduce this problem:
- install Windows 2008 Server (x86)
- add Web Server role (for IIS7 support)
- download Web Platform Installer and install PHP 5.2.11

Now you have in IIS7 default web with PHP 5.2.11 support. Create test script test.php with this content :

<?php

var_dump(file_exists('test.php'));

?>

and copy test.php to C:\Inetpub\wwwroot . Now you can try http://localhost/test.php and you can see result of script :
bool(true).

There is default icacls result on C:\Inetpub\wwwroot directory :

wwwroot BUILTIN\IIS_IUSRS:(RX)
        BUILTIN\IIS_IUSRS:(OI)(CI)(IO)(GR,GE)
        NT SERVICE\TrustedInstaller:(I)(F)
        NT SERVICE\TrustedInstaller:(I)(OI)(CI)(IO)(F)
        NT AUTHORITY\SYSTEM:(I)(F)
        NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
        BUILTIN\Administrators:(I)(F)
        BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
        BUILTIN\Users:(I)(RX)
        BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
        CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

Now on folder C:\inetpub\wwwroot delete inheritance and change permissions to :

Administrators:F
IUSR:R
NETWORK SERVICE:R
System:F

icacls result will be:

wwwroot NT AUTHORITY\IUSR:(OI)(CI)(R)
        NT AUTHORITY\SYSTEM:(OI)(CI)(F)
        NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(R)
        BUILTIN\Administrators:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

Restart IIS service and try http://localhost/test.php now. Result of script will be : bool(false). Now you can try change test script to full path and result will be bool(true). If you change PHP to TS version, result with relative path will be correct bool(true). PHP 5.3 NonTS same problem.
 [2009-12-07 13:41 UTC] be3ch at centrum dot cz
Any progress? I can give you access to my VPS server, where you can see it. :)
 [2010-01-25 08:50 UTC] pajoye@php.net
That would help yes, please drop me a mail with the access data :)
 [2010-02-02 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2010-10-07 15:40 UTC] saurabh0 at gmail dot com
I am facing the same problem. Running PHP Version 5.3.3 (FastCgi, non-thread safe) on IIS6/Windows Server 2003.

All file functions give error when relative paths are used and with *only* Read permissions on the folder. e.g.

file_get_contents('./path/file.txt');

The above gives:
Warning: file_get_contents(./path/file.txt): failed to open stream: No such file or directory

If you give the full path its works fine. i.e. the follow works:

file_get_contents('C:/full/path/file.txt');

If you add "List Folder Contents" permission to the folder it starts to work with relative folders as well.

I am guessing the when relative paths are used php tries to get some information about the current folder which fails as the "List Folder Contents" is not given.

Note: I had php (5.2) running as ISAPI before and didn't have this problem. So it seems to be specific to non-thread safe version.
 [2010-10-07 16:00 UTC] pajoye@php.net
-Status: No Feedback +Status: Feedback
 [2010-10-07 16:00 UTC] pajoye@php.net
Please try using 5.3.3.
 [2010-10-07 17:54 UTC] cataphract@php.net
Closed bug #53011 as a duplicate as this one.

Pierre: he's using PHP 5.3.3.
 [2010-10-07 17:56 UTC] saurabh0 at gmail dot com
Some additional info:

var_dump(getcwd(), realpath("."));

gives:

string(7) "c:\php5" string(7) "C:\php5"

As expected, when you give "List Folder Contents" permission (in
addition to read) to the web root folder both functions return the
correct path.
 [2010-10-07 18:25 UTC] cataphract@php.net
This might be unrelated (probably it's the same issue), but I can notice a difference between zts and non-zts on chdir.

Full Process Monitor log here:
http://nebm.ist.utl.pt/~glopes/misc/log50163.txt

The most relevant part is:

NON-ZTS:
7:16:40,4984188	php.exe	13220	CreateFile	C:\Users\Cataphract\Documents\SDK\php54dev\vc9\x86\php54-trunk\Debug_TS\teste	ACCESS DENIED	Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a

ZTS:
Only a successful QueryDirectory to C:\Users\Cataphract\Documents\SDK\php54dev\vc9\x86\php54-trunk\Debug_TS\teste
 [2010-10-07 18:32 UTC] cataphract@php.net
Forgot to add. The script was this one:

<?php
var_dump(chdir('c:\Users\Cataphract\Documents\SDK\php54dev\vc9\x86\php54-trunk\Debug_TS\teste'));
echo file_get_contents("./relative/file.txt");

The permissions on [...]\Debug_TS\teste were "Read" (i.e., List Folder/Read data, Read attributes and extended attributes, Read permissions, on the folder, subfolders and files). The simple permission "List folder contents" is actually giving additionally the permission Traverse Folder/execute files to the folder and subfolders.
 [2010-10-07 19:03 UTC] cataphract@php.net
While chdir() requires traverse/execute permissions on the target folder (a permission that is ignored anyway, because bypass traverse checking is enabled by default), I cannot reproduce the bug using the CLI SAPI.

Setting the working directory to c:\Users\Cataphract\Documents\SDK\php54dev\vc9\x86\php54-trunk\Debug_TS\teste, and running the non-zts PHP with the script:

<?php
echo file_get_contents("./relative/file.txt");

worked perfectly. So this may be specific to the CGI SAPI.
 [2013-01-08 08:08 UTC] pajoye@php.net
-Status: Feedback +Status: No Feedback
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 05:01:28 2024 UTC