Bug 212911 - lang/php56, lang/php70: Add umask to php-fpm rc script
Summary: lang/php56, lang/php70: Add umask to php-fpm rc script
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Torsten Zuehlsdorff
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-22 21:47 UTC by Robert Kánia
Modified: 2017-07-10 10:24 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (tz)


Attachments
Patch to add umask setting (798 bytes, patch)
2016-09-22 21:47 UTC, Robert Kánia
no flags Details | Diff
php-fm.in with umask setting (1.28 KB, text/plain)
2017-06-13 16:09 UTC, Robert Kánia
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Kánia 2016-09-22 21:47:53 UTC
Created attachment 175077 [details]
Patch to add umask setting

It's a good security practice to run PHP as another user than the owner of application source files. One drawback though with this approach - files created by the application (uploads, caches, etc.) can not be easily deleted by the owner of application sources.

One possible solution to this problem is to use same group for those two users and set umask of the PHP user to 0002. Attached is a patch which allows to set the umask for php-fpm.
Comment 1 Torsten Zuehlsdorff freebsd_committer 2016-10-14 12:44:07 UTC
I'm sorry for the late response. I will have a look at it!
Comment 2 Milan Krupa 2017-05-17 11:44:27 UTC
It seems like a good idea to me. Did you get a chance to look into this?
Comment 3 Torsten Zuehlsdorff freebsd_committer 2017-05-19 11:48:12 UTC
Sadly not, but its the second entry on my current ToDo list. :)
Comment 4 Torsten Zuehlsdorff freebsd_committer 2017-06-12 09:34:08 UTC
Finally i'm on it: but the patch did not apply. :/

Its not hard to recreate it, but i want to raise the question: did you (or somebody other) test the patch accordingly?
Comment 5 Robert Kánia 2017-06-13 15:58:29 UTC
Yes I am using this in production. The php-fpm rc script probably changed in the meantime, so the patch is outdated.

Should I submit updated patch (or maybe whole php-fpm.in file)?
Comment 6 Torsten Zuehlsdorff freebsd_committer 2017-06-13 16:00:34 UTC
Yes, that would be fine. Thanks! :)
Comment 7 Robert Kánia 2017-06-13 16:09:24 UTC
Created attachment 183450 [details]
php-fm.in with umask setting

Is this sufficient?
Comment 8 Torsten Zuehlsdorff freebsd_committer 2017-06-23 09:10:10 UTC
(In reply to Robert Kánia from comment #7)

> Is this sufficient?

This looks fine. I'm going to commit this next week! :)
Comment 9 commit-hook freebsd_committer 2017-06-28 09:41:06 UTC
A commit references this bug:

Author: tz
Date: Wed Jun 28 09:40:58 UTC 2017
New revision: 444558
URL: https://svnweb.freebsd.org/changeset/ports/444558

Log:
  lang/php70 and lang/php71: Add umask to php-fpm rc script

  PR:           212911
  Submitted by: Robert K?nia <rk@redb.cz>

Changes:
  head/lang/php70/files/php-fpm.in
  head/lang/php71/files/php-fpm.in
Comment 10 Torsten Zuehlsdorff freebsd_committer 2017-06-28 09:41:58 UTC
Committed, thanks! :)