Steven, does it happen only with cgi (under a custom fcgi) wrapper or could you reproduce that under different SAPI (f.e. FPM)?
Could you perhaps also attach php-fcgi-starter script and more about your webserver configuration related to the FCGI interaction? Cheers, -- Ondřej Surý <[email protected]> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server On Fri, Jan 15, 2016, at 23:17, Steven Chamberlain wrote: > Package: src:php5 > Version: 5.4.45-0+deb7u2 > Severity: important > User: [email protected] > Usertags: kfreebsd > X-Debbugs-Cc: [email protected] > > (Followup to https://lists.debian.org/debian-bsd/2016/01/msg00021.html) > > This turns out to be some bug or odd behaviour of PHP when handling file > uploads on kfreebsd. Here's a simple testcase: > > <?php > > if ($_SERVER['REQUEST_METHOD'] === 'POST') { > print_r($_FILES); > var_dump(move_uploaded_file($_FILES['foo']['tmp_name'], '.foo')); > die(); > } > > ?> > <html> > <body><form id="for-you" method="post" enctype="multipart/form-data"> > <input name="foo" type="file" /> > <input type="submit" /> > </form></body> > </html> > > Submitting the web form, PHP writes the uploaded file to /tmp initially, > having a random filename, and moves it to ".foo" in the web document > root at request of the PHP script. > > The PHP script is *supposed* to run non-privileged for obvious > reasons. suexec.log suggests I set that up right: > > uid: (1046/foo) gid: (1045/foo) cmd: php-fcgi-starter > > And executing <?php passthru('id'); ?> confirms that is generally the > case: > > uid=1046(foo) gid=1045(foo) groups=1045(foo) > > But `stat .foo` shows the uploaded file having gid=0 instead, something > not possible to do if you have dropped privileges: > > File: `.foo' > Size: 5 Blocks: 9 IO Block: 4096 regular > file > Device: 735ae718h/1935337240d Inode: 238962 Links: 1 > Access: (0644/-rw-r--r--) Uid: ( 1046/foo) Gid: ( 0/root) > Access: 2016-01-15 22:00:02.555410397 +0000 ^^^^^^ > Modify: 2016-01-15 22:00:02.555410397 +0000 wrong gid! > Change: 2016-01-15 22:00:02.555410397 +0000 > Birth: - > > I couldn't repeat this on a GNU/Linux machine. Is PHP maybe not > dropping privileges properly on GNU/kFreeBSD? (setgid,setegid issue?) > Havne't yet checked it affects regular FreeBSD also. > > There seems nothing special about my /tmp: mode 1777/drwxrwxrwt. > That end the web document root are on ZFS. > > Thanks. > Regards, > -- > Steven Chamberlain > [email protected] > _______________________________________________ > pkg-php-maint mailing list > [email protected] > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint > Email had 1 attachment: > + signature.asc > 1k (application/pgp-signature)
