Summary: | lang/php56, lang/php70: Add umask to php-fpm rc script | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Robert Kánia <rk> | ||||||
Component: | Individual Port(s) | Assignee: | Torsten Zuehlsdorff <tz> | ||||||
Status: | Closed FIXED | ||||||||
Severity: | Affects Only Me | CC: | samius05 | ||||||
Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(tz) |
||||||
Version: | Latest | ||||||||
Hardware: | Any | ||||||||
OS: | Any | ||||||||
Attachments: |
|
I'm sorry for the late response. I will have a look at it! It seems like a good idea to me. Did you get a chance to look into this? Sadly not, but its the second entry on my current ToDo list. :) Finally i'm on it: but the patch did not apply. :/ Its not hard to recreate it, but i want to raise the question: did you (or somebody other) test the patch accordingly? Yes I am using this in production. The php-fpm rc script probably changed in the meantime, so the patch is outdated. Should I submit updated patch (or maybe whole php-fpm.in file)? Yes, that would be fine. Thanks! :) Created attachment 183450 [details]
php-fm.in with umask setting
Is this sufficient?
(In reply to Robert Kánia from comment #7) > Is this sufficient? This looks fine. I'm going to commit this next week! :) A commit references this bug: Author: tz Date: Wed Jun 28 09:40:58 UTC 2017 New revision: 444558 URL: https://svnweb.freebsd.org/changeset/ports/444558 Log: lang/php70 and lang/php71: Add umask to php-fpm rc script PR: 212911 Submitted by: Robert K?nia <rk@redb.cz> Changes: head/lang/php70/files/php-fpm.in head/lang/php71/files/php-fpm.in Committed, thanks! :) |
Created attachment 175077 [details] Patch to add umask setting It's a good security practice to run PHP as another user than the owner of application source files. One drawback though with this approach - files created by the application (uploads, caches, etc.) can not be easily deleted by the owner of application sources. One possible solution to this problem is to use same group for those two users and set umask of the PHP user to 0002. Attached is a patch which allows to set the umask for php-fpm.