php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #28812 getgid/getuid usage
Submitted: 2004-06-17 01:44 UTC Modified: 2016-04-03 17:41 UTC
From: liquid at haveheart dot com Assigned:
Status: Wont fix Package: *General Issues
PHP Version: 4.3.6 OS: linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: liquid at haveheart dot com
New email:
PHP Version: OS:

 

 [2004-06-17 01:44 UTC] liquid at haveheart dot com 
Description:
------------
in a lot of the code, php does checks using getuid or 
getgid.  one should actually be checking with geteuid 
and getegid, especially in situations where you are 
looking at getgroups.

one might look at ext/standard/filestat.c for examples 
(FS_IS_W st_mode checks as an example). an example 
function that is potentially affected by this is 
is_writeable('filename') when combined with the User and 
Group directives in apache's httpd.conf file.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-06-17 09:08 UTC] derick@php.net 
WHy is this needed? And do you know for sure that all Unix-like operating systems have this systemcall?
 [2004-06-17 16:26 UTC] liquid at haveheart dot com 
basically, it boils down to this.  the real id is the uid of user who actually ran the process.  the effective id is the uid that is assigned to new files (any file that would be created), is used (as the owner check) to check file access.  the real id is also used to compare against the effective id and is the only match that is allowed to kill(1) the process.

also, just for clarity, when getgroups(2) is used... it is undefined (based on different unix variants) as to whether the effective gid is returned.  following is an exert from man 2 getgroups on linux.

getgroups
Up  to size supplementary group IDs are returned in list.  It is unspecified whether the effective group ID of the  calling  process  is  included  in  the returned list. (Thus, an application should also call getegid(2) and  add  or  remove  the  resulting value.)   If  size  is zero, list is not modified, but the total number of supplementary group IDs for the process is returned.

also, yes.. getegid/geteuid are posix and bsd 4.3 defined, so they are implemented everywhere.  hope this helps.
 [2016-04-03 17:41 UTC] krakjoe@php.net
-Status: Open +Status: Wont fix -Package: Feature/Change Request +Package: *General Issues
 [2016-04-03 17:41 UTC] krakjoe@php.net 
It's been more than ten years since you opened the bug.

I think, time has proven that your original assertion that this is required wrong.

I can be wrong.

If you think I am, and you still feel this is required; An RFC is required for this kind of change today: https://wiki.php.net/rfc

Sorry about the wait :(
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 23 08:01:30 2024 UTC