php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #42596 session.save_path MODE option will not set "write" bit for group or world
Submitted: 2007-09-08 03:47 UTC Modified: 2009-04-06 11:56 UTC
From: randy at rcs-comp dot com Assigned:
Status: Not a bug Package: Session related
PHP Version: 5.2.4 OS: Linux
Private report: No CVE-ID:
 [2007-09-08 03:47 UTC] randy at rcs-comp dot com
Description:
------------
When using the mode parameter in session_save_path (or presumably session.save_path) it will not set the "write" bit correctly for anyone but the owner of the file.  Read and execute bits are set correctly.

This is important b/c I would like to setguid on the session directory so that a non-priveleged user (the website reseller) can clean it out.  That way, all I have to do is add apache to the user's group, and no more problems with clearing out sessions.

Reproduce code:
---------------
<?php
$pm = '0;0600;'.dirname(__FILE__).'/sessions';
session_save_path($pm);
session_start();
die('hello world');
?>

// delete the session file just created

<?php
$pm = '0;0660;'.dirname(__FILE__).'/sessions';
session_save_path($pm);
session_start();
die('hello world');
?>

// delete the session file just created

<?php
$pm = '0;0777;'.dirname(__FILE__).'/sessions';
session_save_path($pm);
session_start();
die('hello world');
?>



Expected result:
----------------
[root@host sessions]# ls -l
total 0
-rw-------  1 apache apache 0 Sep  7 23:30 sess_b1fb...

[root@host sessions]# ls -l
total 0
-rw-rw----  1 apache apache 0 Sep  7 23:31 sess_b1fb...

[root@host sessions]# ls -l
total 0
-rwxrwxrwx  1 apache apache 0 Sep  7 23:40 sess_b1fb...

Actual result:
--------------
[root@host sessions]# ls -l
total 0
-rw-------  1 apache apache 0 Sep  7 23:30 sess_b1fb...

[root@host sessions]# ls -l
total 0
-rw-r-----  1 apache apache 0 Sep  7 23:31 sess_b1fb...
^^^^^^^^^^ <----------------  Permission does not have write bit

[root@host sessions]# ls -l
total 0
-rwxr-xr-x  1 apache apache 0 Sep  7 23:40 sess_b1fb...
^^^^^^^^^^ <----------------  Permission does not have write bits

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-09-10 23:43 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2007-09-11 01:20 UTC] randy at rcs-comp dot com
THANK YOU!
 [2009-04-06 11:56 UTC] bjori@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

Fix your umask().
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 02:02:11 2014 UTC