php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #42596 session.save_path MODE option will not set "write" bit for group or world
Submitted: 2007-09-08 03:47 UTC Modified: 2009-04-06 11:56 UTC
From: randy at rcs-comp dot com Assigned:
Status: Not a bug Package: Session related
PHP Version: 5.2.4 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: randy at rcs-comp dot com
New email:
PHP Version: OS:

 

 [2007-09-08 03:47 UTC] randy at rcs-comp dot com 
Description:
------------
When using the mode parameter in session_save_path (or presumably session.save_path) it will not set the "write" bit correctly for anyone but the owner of the file.  Read and execute bits are set correctly.

This is important b/c I would like to setguid on the session directory so that a non-priveleged user (the website reseller) can clean it out.  That way, all I have to do is add apache to the user's group, and no more problems with clearing out sessions.

Reproduce code:
---------------
<?php
$pm = '0;0600;'.dirname(__FILE__).'/sessions';
session_save_path($pm);
session_start();
die('hello world');
?>

// delete the session file just created

<?php
$pm = '0;0660;'.dirname(__FILE__).'/sessions';
session_save_path($pm);
session_start();
die('hello world');
?>

// delete the session file just created

<?php
$pm = '0;0777;'.dirname(__FILE__).'/sessions';
session_save_path($pm);
session_start();
die('hello world');
?>



Expected result:
----------------
[root@host sessions]# ls -l
total 0
-rw-------  1 apache apache 0 Sep  7 23:30 sess_b1fb...

[root@host sessions]# ls -l
total 0
-rw-rw----  1 apache apache 0 Sep  7 23:31 sess_b1fb...

[root@host sessions]# ls -l
total 0
-rwxrwxrwx  1 apache apache 0 Sep  7 23:40 sess_b1fb...

Actual result:
--------------
[root@host sessions]# ls -l
total 0
-rw-------  1 apache apache 0 Sep  7 23:30 sess_b1fb...

[root@host sessions]# ls -l
total 0
-rw-r-----  1 apache apache 0 Sep  7 23:31 sess_b1fb...
^^^^^^^^^^ <----------------  Permission does not have write bit

[root@host sessions]# ls -l
total 0
-rwxr-xr-x  1 apache apache 0 Sep  7 23:40 sess_b1fb...
^^^^^^^^^^ <----------------  Permission does not have write bits

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-09-10 23:43 UTC] iliaa@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 [2007-09-11 01:20 UTC] randy at rcs-comp dot com 
THANK YOU!
 [2009-04-06 11:56 UTC] bjori@php.net 
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

Fix your umask().
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 20 04:01:28 2024 UTC