strange php/apache/bsd behavior with file uploads

[Robert Potts]

I actually do not have root access to the server in question, so my 
ability to give details is very limited. The server in question is a BSD 
webserver which has php installed as both a module of apache, and 
available as a cgi process.  The behavior normally is that image uploads 
to /home/user/public_html/images/ are uploaded via the php copy() 
function and placed in this images directory with mode 755. This 
particular functionality has performed without fail for 3 years ot more.

Now, suddenly (the ISP who runs the server claims absolutely no 
configuration changes)
the images are being placed in the directory with mode 600.

The php script, in this case, is run as a cgi process so that the file 
is uploaded by the "owner", and thus is allowed ability to place an 
image in this directory. Historically this functionality did not work 
using php as an apache module because the apache server's userid does 
not have permission to do this.

This is the only cryptic clue I got from the ISP:
"We believe that error causes running under cgiwrap, with a umask of 022 
to halt and anything
happening after that point will be running under straight php which is 
to say www, which has a
umask of 177 (because it comes from root's umask), which is exactly what 
you were seeing. "

I used the php chmod() function to successfully work around the problem, 
but I want to know *why* this suddenly happened?  I think it could 
possibly be either a bug or a security issue, something to do with 
suexec or the cgi php config?

Update: last night suddenly everything started working again, that is 
images uploaded using php copy() and *not* using php chmod() uploaded 
images with 755 mode. So I wrote and asked them how they fixed the 
problem.  This was their response:

"Because of a system security problem, a patch was applied and all our 
BSD systems rebuilt at midnight Tuesday.
As we said before, we found no problem with the system, and its 
configuration has not been changed.
It is our opinion that permissions on files created under php, are not 
defined unless either the umask or the chmod command is employed to 
specifically set them.

If you are having a problem related to our systems, please let us know. "
It seems like these guys don't really know what they are talking about. 
Can anyone hazard some theories on what might have happened and why the 
security patch they applied with a reboot fixed it?

thank you in advance for any light you can shed on this, despite the 
lack of information I can give about the system in question.
-Robert

_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"