php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #65057 move_uploaded_file() umask acl
Submitted: 2013-06-18 13:24 UTC Modified: -
Votes:11
Avg. Score:4.4 ± 0.9
Reproduced:10 of 10 (100.0%)
Same Version:3 (30.0%)
Same OS:9 (90.0%)
From: pb at complex dot pl Assigned:
Status: Open Package: Filesystem function related
PHP Version: 5.3.26 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
8 + 32 = ?
Subscribe to this entry?

 
 [2013-06-18 13:24 UTC] pb at complex dot pl 
Description:
------------
move_uploaded_file() uses VCWD_CHMOD(new_path, 0666 & ~oldmask). This breaks acls of uploaded files when umask is set to 077

The setup is as follows:
- all files are owned by user:user
- all files have 600 perms, dirs have 700
- PHP script is invoked as user:user (suexec+fcgid)
- ACLs are used to grant access for apache user (user:apache:r-x, default:user:apache:r-x) on all files and dirs.
- umask set to 077

When file is uploaded to upload_tmp_dir getfacl shows:
user::rw-
user:apache:r-x                 #effective:r--
group::---
mask::r--
other::---

After calling move_uploaded_file() the file in dest_dir has following ACLs:
user::rw-
user:apache:r-x                 #effective:---
group::---
mask::---
other::---

chmod(600) invoked in this case in move_uploaded_file() changes ACL mask to 000 which in turn revokes access for apache user.

Expected result:
----------------
Preserve ACL of uploaded files.

Actual result:
--------------
ACL get broken after calling move_uploaded_file()

Patches

Add a Patch

Pull Requests

Add a Pull Request
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 18 03:01:28 2024 UTC