Package: src:php5
Version: 5.4.45-0+deb7u2
Severity: important
User: debian-bsd@lists.debian.org
Usertags: kfreebsd
X-Debbugs-Cc: debian-bsd@lists.debian.org
(Followup to https://lists.debian.org/debian-bsd/2016/01/msg00021.html)
This turns out to be some bug or odd behaviour of PHP when handling file
uploads on kfreebsd. Here's a simple testcase:
<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
print_r($_FILES);
var_dump(move_uploaded_file($_FILES['foo']['tmp_name'], '.foo'));
die();
}
?>
<html>
<body><form id="for-you" method="post" enctype="multipart/form-data">
<input name="foo" type="file" />
<input type="submit" />
</form></body>
</html>
Submitting the web form, PHP writes the uploaded file to /tmp initially,
having a random filename, and moves it to ".foo" in the web document
root at request of the PHP script.
The PHP script is *supposed* to run non-privileged for obvious
reasons. suexec.log suggests I set that up right:
uid: (1046/foo) gid: (1045/foo) cmd: php-fcgi-starter
And executing <?php passthru('id'); ?> confirms that is generally the
case:
uid=1046(foo) gid=1045(foo) groups=1045(foo)
But `stat .foo` shows the uploaded file having gid=0 instead, something
not possible to do if you have dropped privileges:
File: `.foo'
Size: 5 Blocks: 9 IO Block: 4096 regular file
Device: 735ae718h/1935337240d Inode: 238962 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1046/foo) Gid: ( 0/root)
Access: 2016-01-15 22:00:02.555410397 +0000 ^^^^^^
Modify: 2016-01-15 22:00:02.555410397 +0000 wrong gid!
Change: 2016-01-15 22:00:02.555410397 +0000
Birth: -
I couldn't repeat this on a GNU/Linux machine. Is PHP maybe not
dropping privileges properly on GNU/kFreeBSD? (setgid,setegid issue?)
Havne't yet checked it affects regular FreeBSD also.
There seems nothing special about my /tmp: mode 1777/drwxrwxrwt.
That end the web document root are on ZFS.
Thanks.
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
Attachment:
signature.asc
Description: Digital signature