Bug 212911

Summary: lang/php56, lang/php70: Add umask to php-fpm rc script
Product: Ports & Packages Reporter: Robert Kánia <rk>
Component: Individual Port(s)Assignee: Torsten Zuehlsdorff <tz>
Status: Closed FIXED    
Severity: Affects Only Me CC: samius05
Priority: --- Flags: bugzilla: maintainer-feedback? (tz)
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Patch to add umask setting
none
php-fm.in with umask setting none

Description Robert Kánia 2016-09-22 21:47:53 UTC
Created attachment 175077 [details]
Patch to add umask setting

It's a good security practice to run PHP as another user than the owner of application source files. One drawback though with this approach - files created by the application (uploads, caches, etc.) can not be easily deleted by the owner of application sources.

One possible solution to this problem is to use same group for those two users and set umask of the PHP user to 0002. Attached is a patch which allows to set the umask for php-fpm.
Comment 1 Torsten Zuehlsdorff freebsd_committer freebsd_triage 2016-10-14 12:44:07 UTC
I'm sorry for the late response. I will have a look at it!
Comment 2 Milan Krupa 2017-05-17 11:44:27 UTC
It seems like a good idea to me. Did you get a chance to look into this?
Comment 3 Torsten Zuehlsdorff freebsd_committer freebsd_triage 2017-05-19 11:48:12 UTC
Sadly not, but its the second entry on my current ToDo list. :)
Comment 4 Torsten Zuehlsdorff freebsd_committer freebsd_triage 2017-06-12 09:34:08 UTC
Finally i'm on it: but the patch did not apply. :/

Its not hard to recreate it, but i want to raise the question: did you (or somebody other) test the patch accordingly?
Comment 5 Robert Kánia 2017-06-13 15:58:29 UTC
Yes I am using this in production. The php-fpm rc script probably changed in the meantime, so the patch is outdated.

Should I submit updated patch (or maybe whole php-fpm.in file)?
Comment 6 Torsten Zuehlsdorff freebsd_committer freebsd_triage 2017-06-13 16:00:34 UTC
Yes, that would be fine. Thanks! :)
Comment 7 Robert Kánia 2017-06-13 16:09:24 UTC
Created attachment 183450 [details]
php-fm.in with umask setting

Is this sufficient?
Comment 8 Torsten Zuehlsdorff freebsd_committer freebsd_triage 2017-06-23 09:10:10 UTC
(In reply to Robert Kánia from comment #7)

> Is this sufficient?

This looks fine. I'm going to commit this next week! :)
Comment 9 commit-hook freebsd_committer freebsd_triage 2017-06-28 09:41:06 UTC
A commit references this bug:

Author: tz
Date: Wed Jun 28 09:40:58 UTC 2017
New revision: 444558
URL: https://svnweb.freebsd.org/changeset/ports/444558

Log:
  lang/php70 and lang/php71: Add umask to php-fpm rc script

  PR:           212911
  Submitted by: Robert K?nia <rk@redb.cz>

Changes:
  head/lang/php70/files/php-fpm.in
  head/lang/php71/files/php-fpm.in
Comment 10 Torsten Zuehlsdorff freebsd_committer freebsd_triage 2017-06-28 09:41:58 UTC
Committed, thanks! :)