Date: Fri, 25 Jun 2004 00:07:46 -0600 From: Robert Potts <robert@pottsdata.com> To: freebsd-questions@freebsd.org Subject: strange php/apache/bsd behavior with file uploads Message-ID: <40DBC132.8010403@pottsdata.com>
next in thread | raw e-mail | index | archive | help
I actually do not have root access to the server in question, so my ability to give details is very limited. The server in question is a BSD webserver which has php installed as both a module of apache, and available as a cgi process. The behavior normally is that image uploads to /home/user/public_html/images/ are uploaded via the php copy() function and placed in this images directory with mode 755. This particular functionality has performed without fail for 3 years ot more. Now, suddenly (the ISP who runs the server claims absolutely no configuration changes) the images are being placed in the directory with mode 600. The php script, in this case, is run as a cgi process so that the file is uploaded by the "owner", and thus is allowed ability to place an image in this directory. Historically this functionality did not work using php as an apache module because the apache server's userid does not have permission to do this. This is the only cryptic clue I got from the ISP: "We believe that error causes running under cgiwrap, with a umask of 022 to halt and anything happening after that point will be running under straight php which is to say www, which has a umask of 177 (because it comes from root's umask), which is exactly what you were seeing. " I used the php chmod() function to successfully work around the problem, but I want to know *why* this suddenly happened? I think it could possibly be either a bug or a security issue, something to do with suexec or the cgi php config? Update: last night suddenly everything started working again, that is images uploaded using php copy() and *not* using php chmod() uploaded images with 755 mode. So I wrote and asked them how they fixed the problem. This was their response: "Because of a system security problem, a patch was applied and all our BSD systems rebuilt at midnight Tuesday. As we said before, we found no problem with the system, and its configuration has not been changed. It is our opinion that permissions on files created under php, are not defined unless either the umask or the chmod command is employed to specifically set them. If you are having a problem related to our systems, please let us know. " It seems like these guys don't really know what they are talking about. Can anyone hazard some theories on what might have happened and why the security patch they applied with a reboot fixed it? thank you in advance for any light you can shed on this, despite the lack of information I can give about the system in question. -Robert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40DBC132.8010403>