How does "umask" work in PHP and when should we use it or not?

Asked

Viewed 142 times

6

I was reading the documentation of umask and I came across this:

When PHP is being used as a server module, the umask is Restored when each request is finished.

Translating: When PHP is being used in a server module umask is restored when the request ends

I wonder if this umask be restored occurs in any server module such as:

Or if some configuration is required or flag so that the module understands that it must restore umask when the request is completed?

I would also like to know when and how to use it, for example I wonder, for a folder with client uploads it would be interesting to limit permissions, however I notice that some people use umask and others not, at the time of an upload, how this works and what is the technical and/or security need related to it?

The moment you are moving a large file from a folder like the /tmp using move_uploaded_file to another folder when using umask until the request finishes processing the folder may be insecure?

php security-guard permissions

1 answer

6


Before understanding the umask, you must understand the permissions of filesystem systems *Nix, some answers in the posts here can help:

What are the risks of using permission 777?

Permission denied when moving file with move_upload_file on Linux server

Likewise, the umask is a concept that makes sense in systems *Nix, is a PHP compatibility layer that uses existing features of filesystem (like several others libs are, some for DB, others for Web requests, etc) which is independent of the page server.

Heed: when you write a number in PHP (and some other languages) prefixed by 0, this is an OCTAL and not a decimal number. Permissions *Nix are octal by nature (three bits per digit).

What good is?

The name somehow says: Ube file Creation MAsk. He is a mask which is applied over file permissions.

He basically withdrawing privileges of the running process, denying them through a bit mask.

PHP defaults to umask the value 022, and this can be "loosened" if you decrease this value.


How it works?

Example of the PHP manual itself:

original 0666 rw-.rw-.rw-
umask    0022 ---.-w-.-w-
final    0644 rw-.r--.r--

Sell in binary for ease:

original 000 110 110 110 rw-.rw-.rw-
umask    000 000 010 010 ---.-w-.-w-
final    000 110 100 100 rw-.r--.r--

That is, the umask denied the bits "2" both of other how much of group.

In practice, as the default file creation in the filesystem is 0666 and directories 0777, the standard 022 of umask PHP ends up defining this as default:

  • Files created as 0644;

  • Directories created as 0755.

It is worth noting that the umask in itself is already "masked", he receives a or with 0777 before it is applied, then umask( 01771 ) it will actually be worth as if it had done umask ( 0771 ) only.

There is an important detail when using the umask, it returns the current value of the mask, regardless of whether you are creating a new one or just consulting, which brings us to the next point...


The state of umask at the end of the process:

In the manual we have this:

When PHP is being used as a server module, umask is restored at the end of each request.

We have to remember that when you run PHP as CGI, there are several processes being created and released at the end, and when you run as a module, it is a continuous "procession". So what matters is not the "list" of used page servers, but how PHP runs to determine whether the umask is reset at the end automatically or not.

Summary: like the cases you can count on reset of umask are very specific, and as you should not depend on the state of a script for the entire session, store the return of the first umask what to do and always restore the umask to the default state at the end. Better yet? Do not move if you do not have a real reason for this. Set it to be in the server configuration, and leave it. It’s an option that can give you a lot of headache if you don’t have mastery over *Nix permissions, and if you do, you probably don’t even need that warning here.


Handbook

http://php.net/manual/en/function.umask.php

Browser other questions tagged php security-guard permissions

You are not signed in. Login or sign up in order to post.