Bug 70775 - Uploaded files have execute permission set
Summary: Uploaded files have execute permission set
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: apache (Show other bugs)
(Show other bugs)
Version: 7.2
Hardware: i386 Linux
Target Milestone: ---
Assignee: Joe Orton
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2002-08-05 03:26 UTC by kop
Modified: 2005-10-31 22:00 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-09-21 10:51:19 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description kop 2002-08-05 03:26:01 UTC
Description of Problem:

I've a php script which uploads files.  These files arrive on the
server (after move_uploaded_file()) with ugo execute permission set.

This can't be good.

Version-Release number of selected component (if applicable):

How Reproducible:


Steps to Reproduce:

Upload file with php, save with move_uploaded_file.

Expected Results:

I'd expect u=rw,g=rw,o=r permissions (group rw allows "collaboration"
between webserver and others.)

Additional Information:

Am using the default umask in the apache config file. (i.e. umask
never specified.)

My script does contain the code:
// Make the temp directory.
$mask = umask(05002);    // Turn off setuid, sticky bit, and 'other' write
mkdir($temppath, 02774); // Allow anybody to read but not decend

Later, the uploaded file is moved into $temppath with move_uploaded_file().
This shouldn't matter, but.... (Other files created with fopen, fwrite, fclose
are not executable.)

See also?: Bug#:41229

What is the default upload directory (/etc/php.ini says it's "the system
default") so I can add an appropriate umask to the apache configuration file?
Maybe the default apache umask should be && 0111?

P.S.  It seems a little uncivil to be reporting security problems in
what amounts to a public forum. Is there another way?  (I assigned priority
"low" as it takes another exploit to take advantage of this behavior.)

Comment 1 kop 2002-08-05 03:35:51 UTC
Presently permissions on uploaded files are: -rwxr-xr-x

Comment 2 Gary Benson 2002-08-13 11:58:44 UTC
You'd only be able to exploit this if your script saved uploaded files into
somewhere that the webserver would execute them.  If you _are_ doing this then
you should stop, since you can make an exploit without requiring execute
permissions: PHP, mod_perl, mod_python, etc don't require their scripts be

It is, however, a little strange that they arrive with execute permissions set,
and it should probably be fixed.  In the meantime you can always fix this in
your script by chmod()ing them (see

By the way, using umask() in your script probably won't work since PHP downloads
the file before any of your code executes.

Comment 3 Joe Orton 2004-09-21 10:51:19 UTC
Thanks for the report.  This is a mass bug update; since this release
of Red Hat Linux is no longer supported, please either:

a) try and reproduce the bug with a supported version of Red Hat
Enterprise Linux or Fedora Core, and re-open this bug as appropriate
after changing the Product field, or,

b) if relevant, try and reproduce this bug using the current version
of the upstream package, and report the bug upstream.

Note You need to log in before you can comment on or make changes to this bug.