Bug #27721
Permissions of uploaded resources not correct
| Status: | Needs Feedback | Start date: | 2011-06-27 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assigned To: | Karsten Dambekalns | % Done: | 0% |
|
| Category: | Resource | |||
| Target version: | - | |||
| PHP Version: | Complexity: | |||
| Has patch: | No | Affected Flow version: | FLOW3 1.0.0 |
Description
The permissions are not correct and furthermore the setgid bit doesn't have any effect.
History
#1 Updated by Karsten Dambekalns about 4 years ago
- Status changed from New to Needs Feedback
- Assigned To set to Karsten Dambekalns
The use of move_uploaded_file() obviously "creates" a new file at the target, that's why the setgid bit is effective. With rename() the file is moved "together" with it's group, so no setgid bit taking effect (also not using plain mv in a shell).
The question now is, do we want to add a group and/or permission setting for files created by FLOW3 to use chgrp() and chmod() to set accordingly?
#2 Updated by Karsten Dambekalns almost 4 years ago
- Target version deleted (
1230)
#3 Updated by Karsten Dambekalns almost 4 years ago
- Affected Flow version set to FLOW3 1.0.0
#4 Updated by Karsten Dambekalns over 3 years ago
- Has patch set to No
Robert, any strong emotions about this one?
#5 Updated by Robert Lemke over 3 years ago
Hmm, would copy + unlink be a feasible workaround?
#6 Updated by Bastian Waidelich over 3 years ago
- Subject changed from Permissiosn of uploaded resources not correct to Permissions of uploaded resources not correct
#7 Updated by Christian Müller over 3 years ago
Isn't the current state enough with calling fixFilePermissions after move_uploaded_file()
#8 Updated by Karsten Dambekalns over 3 years ago
Christian Mueller wrote:
Isn't the current state enough with calling fixFilePermissions after move_uploaded_file()
No, because that only does a chmod() but move_uploaded_file() "ignores" the setgid bit, as I pointer out above. What would be more interesting is if we ignore this, document it somehow and can live with ACLs - because it should work fine.