php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #65057 move_uploaded_file() umask acl
Submitted: 2013-06-18 13:24 UTC Modified: -
Votes:11
Avg. Score:4.4 ± 0.9
Reproduced:10 of 10 (100.0%)
Same Version:3 (30.0%)
Same OS:9 (90.0%)
From: pb at complex dot pl Assigned:
Status: Open Package: Filesystem function related
PHP Version: 5.3.26 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: pb at complex dot pl
New email:
PHP Version: OS:

 

 [2013-06-18 13:24 UTC] pb at complex dot pl 
Description:
------------
move_uploaded_file() uses VCWD_CHMOD(new_path, 0666 & ~oldmask). This breaks acls of uploaded files when umask is set to 077

The setup is as follows:
- all files are owned by user:user
- all files have 600 perms, dirs have 700
- PHP script is invoked as user:user (suexec+fcgid)
- ACLs are used to grant access for apache user (user:apache:r-x, default:user:apache:r-x) on all files and dirs.
- umask set to 077

When file is uploaded to upload_tmp_dir getfacl shows:
user::rw-
user:apache:r-x                 #effective:r--
group::---
mask::r--
other::---

After calling move_uploaded_file() the file in dest_dir has following ACLs:
user::rw-
user:apache:r-x                 #effective:---
group::---
mask::---
other::---

chmod(600) invoked in this case in move_uploaded_file() changes ACL mask to 000 which in turn revokes access for apache user.

Expected result:
----------------
Preserve ACL of uploaded files.

Actual result:
--------------
ACL get broken after calling move_uploaded_file()

Patches

Pull Requests
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Oct 24 14:00:01 2025 UTC