Debian Bug report logs -
#811130
php5: [kfreebsd] uploaded files have gid=root
Reported by: Steven Chamberlain <steven@pyro.eu.org>
Date: Fri, 15 Jan 2016 22:18:15 UTC
Severity: important
Found in version php5/5.4.45-0+deb7u2
Fixed in version 5.6.26+dfsg-1+rm
Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, debian-bsd@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#811130; Package src:php5.
(Fri, 15 Jan 2016 22:18:19 GMT) (full text, mbox, link).
Acknowledgement sent
to Steven Chamberlain <steven@pyro.eu.org>:
New Bug report received and forwarded. Copy sent to debian-bsd@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Fri, 15 Jan 2016 22:18:19 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: src:php5
Version: 5.4.45-0+deb7u2
Severity: important
User: debian-bsd@lists.debian.org
Usertags: kfreebsd
X-Debbugs-Cc: debian-bsd@lists.debian.org
(Followup to https://lists.debian.org/debian-bsd/2016/01/msg00021.html)
This turns out to be some bug or odd behaviour of PHP when handling file
uploads on kfreebsd. Here's a simple testcase:
<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
print_r($_FILES);
var_dump(move_uploaded_file($_FILES['foo']['tmp_name'], '.foo'));
die();
}
?>
<html>
<body><form id="for-you" method="post" enctype="multipart/form-data">
<input name="foo" type="file" />
<input type="submit" />
</form></body>
</html>
Submitting the web form, PHP writes the uploaded file to /tmp initially,
having a random filename, and moves it to ".foo" in the web document
root at request of the PHP script.
The PHP script is *supposed* to run non-privileged for obvious
reasons. suexec.log suggests I set that up right:
uid: (1046/foo) gid: (1045/foo) cmd: php-fcgi-starter
And executing <?php passthru('id'); ?> confirms that is generally the
case:
uid=1046(foo) gid=1045(foo) groups=1045(foo)
But `stat .foo` shows the uploaded file having gid=0 instead, something
not possible to do if you have dropped privileges:
File: `.foo'
Size: 5 Blocks: 9 IO Block: 4096 regular file
Device: 735ae718h/1935337240d Inode: 238962 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1046/foo) Gid: ( 0/root)
Access: 2016-01-15 22:00:02.555410397 +0000 ^^^^^^
Modify: 2016-01-15 22:00:02.555410397 +0000 wrong gid!
Change: 2016-01-15 22:00:02.555410397 +0000
Birth: -
I couldn't repeat this on a GNU/Linux machine. Is PHP maybe not
dropping privileges properly on GNU/kFreeBSD? (setgid,setegid issue?)
Havne't yet checked it affects regular FreeBSD also.
There seems nothing special about my /tmp: mode 1777/drwxrwxrwt.
That end the web document root are on ZFS.
Thanks.
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#811130; Package src:php5.
(Tue, 16 Feb 2016 12:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Tue, 16 Feb 2016 12:39:06 GMT) (full text, mbox, link).
Message #10 received at 811130@bugs.debian.org (full text, mbox, reply):
Steven,
does it happen only with cgi (under a custom fcgi) wrapper or could you
reproduce that under different SAPI (f.e. FPM)?
Could you perhaps also attach php-fcgi-starter script and more about
your webserver configuration related to the FCGI interaction?
Cheers,
--
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
On Fri, Jan 15, 2016, at 23:17, Steven Chamberlain wrote:
> Package: src:php5
> Version: 5.4.45-0+deb7u2
> Severity: important
> User: debian-bsd@lists.debian.org
> Usertags: kfreebsd
> X-Debbugs-Cc: debian-bsd@lists.debian.org
>
> (Followup to https://lists.debian.org/debian-bsd/2016/01/msg00021.html)
>
> This turns out to be some bug or odd behaviour of PHP when handling file
> uploads on kfreebsd. Here's a simple testcase:
>
> <?php
>
> if ($_SERVER['REQUEST_METHOD'] === 'POST') {
> print_r($_FILES);
> var_dump(move_uploaded_file($_FILES['foo']['tmp_name'], '.foo'));
> die();
> }
>
> ?>
> <html>
> <body><form id="for-you" method="post" enctype="multipart/form-data">
> <input name="foo" type="file" />
> <input type="submit" />
> </form></body>
> </html>
>
> Submitting the web form, PHP writes the uploaded file to /tmp initially,
> having a random filename, and moves it to ".foo" in the web document
> root at request of the PHP script.
>
> The PHP script is *supposed* to run non-privileged for obvious
> reasons. suexec.log suggests I set that up right:
>
> uid: (1046/foo) gid: (1045/foo) cmd: php-fcgi-starter
>
> And executing <?php passthru('id'); ?> confirms that is generally the
> case:
>
> uid=1046(foo) gid=1045(foo) groups=1045(foo)
>
> But `stat .foo` shows the uploaded file having gid=0 instead, something
> not possible to do if you have dropped privileges:
>
> File: `.foo'
> Size: 5 Blocks: 9 IO Block: 4096 regular
> file
> Device: 735ae718h/1935337240d Inode: 238962 Links: 1
> Access: (0644/-rw-r--r--) Uid: ( 1046/foo) Gid: ( 0/root)
> Access: 2016-01-15 22:00:02.555410397 +0000 ^^^^^^
> Modify: 2016-01-15 22:00:02.555410397 +0000 wrong gid!
> Change: 2016-01-15 22:00:02.555410397 +0000
> Birth: -
>
> I couldn't repeat this on a GNU/Linux machine. Is PHP maybe not
> dropping privileges properly on GNU/kFreeBSD? (setgid,setegid issue?)
> Havne't yet checked it affects regular FreeBSD also.
>
> There seems nothing special about my /tmp: mode 1777/drwxrwxrwt.
> That end the web document root are on ZFS.
>
> Thanks.
> Regards,
> --
> Steven Chamberlain
> steven@pyro.eu.org
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
> Email had 1 attachment:
> + signature.asc
> 1k (application/pgp-signature)
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility.
(Fri, 13 Jan 2017 13:07:38 GMT) (full text, mbox, link).
Notification sent
to Steven Chamberlain <steven@pyro.eu.org>:
Bug acknowledged by developer.
(Fri, 13 Jan 2017 13:07:38 GMT) (full text, mbox, link).
Message #15 received at 811130-done@bugs.debian.org (full text, mbox, reply):
Version: 5.6.26+dfsg-1+rm
Dear submitter,
as the package php5 has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/841781
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 11 Feb 2017 07:29:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 2 02:21:09 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.