php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #61435 PHP-FPM logs are not readable by group/others by default
Submitted: 2012-03-19 11:29 UTC Modified: 2017-10-24 07:43 UTC
Votes:10
Avg. Score:3.8 ± 1.2
Reproduced:7 of 7 (100.0%)
Same Version:3 (42.9%)
Same OS:2 (28.6%)
From: php at grange dot me Assigned:
Status: Open Package: FPM related
PHP Version: 5.3.10 OS:
Private report: No CVE-ID: None
 [2012-03-19 11:29 UTC] php at grange dot me
Description:
------------
Hello,

errorlog, slowlog and accesslog are created with permissions set to 0600 by 
default on PHP 5.3 and 5.4. 

Those files are often owned by root (at least in our setup but probably in a lot 
of setups), which makes it not convenient for developers to read them. They may 
contain useful information, such as PHP crashes.

Failing to fix it with umask in php-fpm init script (not mentioning the fact 
that it would affect php scripts too), I wrote a simple patch against PHP-5.3.10 
to modify open() calls with 0644 perms.

Note that Apache uses 0644 by default for its logs.

Olivier


Patches

php5.5-set-phpfpm-logs-perms-to-0644.patch (last revision 2013-09-07 13:52 UTC by lekensteyn at gmail dot com)
php5.4-set-phpfpm-logs-perms-to-0644-build-fixed.patch (last revision 2013-02-03 13:29 UTC by lekensteyn at gmail dot com)
php5.4-set-phpfpm-logs-perms-to-0644.patch (last revision 2013-02-03 12:03 UTC by lekensteyn at gmail dot com)
php5.3-set-phpfpm-logs-perms-to-0644.patch (last revision 2012-03-19 11:30 UTC by php at grange dot me)

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-05-23 13:31 UTC] fat@php.net
-Assigned To: +Assigned To: fat
 [2013-02-03 12:06 UTC] lekensteyn at gmail dot com
I have attached a new patch (the old one was incompatible with 5.3). I have also changed "a+" to "a" as fpm_php_trace_dump is only writing to the file, not reading. According to the manpage, fdopen must have a mode that is compatible with the fd. In the old patch, there was a mismatch between a+ and O_WRONLY.
 [2013-09-07 13:53 UTC] lekensteyn at gmail dot com
Patch refreshed for context in PHP 5.5.3 (no other changes). Could you please consider fixing this bug that has been present for over a year? A patch is available.
 [2013-09-14 07:11 UTC] php at grange dot me
Sorry, I fixed my patch on our systems but didn't take time to upload it here as 
nobody seemed to care. Thank you.
 [2013-09-14 08:32 UTC] lekensteyn at gmail dot com
No need to apologize, I do care but apparently it is not very high on the to-do list of PHP devs (if there are any).

In January of this year, I reported an open_basedir-related security bug on this website, to which I still haven't got any reply yet. I wonder if somebody is actually using bug tracker besides users.
 [2014-08-14 09:51 UTC] peter at lekensteyn dot nl
Since this bug got little attention, I opened a PR at
https://github.com/php/php-src/pull/771
 [2016-05-04 14:18 UTC] silvian dot cretu at gmail dot com
I would also like the possibility of settings the ownership of the error_log. Say, for example, I want it's user to be "root" and it's group to be "adm" (on Debian-based Linux distributions), so that users in "adm" can read it.
 [2017-10-24 07:43 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: fat +Assigned To:
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 23 21:01:28 2024 UTC