Files written though PHP/Apache don't honor directory setgid bit_问答_开发者

Files written though PHP/Apache don't honor directory setgid bit

开发者 https://www.devze.com 2023-04-12 06:30 出处：网络

Scratching my head on this one, seems so basic. I\'ve got a PHP based content management system for our website written by a contractor.One feature is the ability to upload images to be displayed in

相关专题：php

Scratching my head on this one, seems so basic.

I've got a PHP based content management system for our website written by a contractor. One feature is the ability to upload images to be displayed in various places on the website (like a product gallery). All such upload开发者_开发知识库ed images are stored in a particular directory called "attachments".

drwxrwsr-x 4 www ftpusers 4096 Oct 10 14:47 attachments

As you can see I've got the setgid bit set on that dir so that any files written will have the group that users (like FTP user) who need access to those files will able to modify/overwrite them. I've set the umask for Apache so that it will write files as group writable.

When I try this with ANY user in the system by creating a new file in that directory, it correctly inherits the group of the parent. When a new file is created through PHP running in Apache, it always has the apache.apache ownership. Apache seems to be ignoring the setgid bit, which I didn't think it could do as this was done by the file system. Here is one file I uploaded:

-rw-rw-r-- 1 apache apache 30536 Oct 10 14:43 209

I can't test as the apache user directly as it doesn't have a login shell specified (for obvious security reasons).

I can get the same permissions capability by adding the ftpusers group to the apache group, but this doesn't seem wise from a security perspective.

I did find one thing that seemed like it might be related - php safe mode, which I've verified is off in /etc/php.ini, although I'm not positive I found the php.ini file that mod_php in apache is using. The php script is using move_uploaded_file(); as far as I can tell, nothing fancy with permissions is being done in the php code.

My best guess would be that this is an intentional limitations for security, but I can't find anything that seems to indicate that is the case.

Running CentOS 5.6 with Apache 2.2.17 and php 5.2.16.

Anyone have a clue?

When you upload a file it is created in the dir specified by the PHP's "upload_tmp_dir" setting. Then move_uploaded_file() moves it to your target dir. It maintains the permissions given to it upon creation and not those of the target directory you move the file to.

So you want the tmp dir to have the permissions you want, basically those you've given to your target dir. Then it will be created with the setgid having effect and the move will keep them.

IIRC "upload_tmp_dir" is not available in .htaccess so if you cannot change this setting or the permissions given to the dir then you will need to do it another way.