php.ini INI_SYSTEM: local value of "sys_temp_dir" does not overide master value and can bypass "open_basedir" (not a security issue FMPOV)

[trendymail]

Description

Hello!

I really hope this "issue" is not a duplicate: found nothing specific about this behavior in open/closed issues or mailing list archives.

Long story short: parameter "sys_temp_dir" does not seem to work as intended when overridden in a specific vhost.

• Linux VPS - Debian 12 (bookworm) - 32 vCore - 32 Go RAM - 4 Go SWAP

• PHP versions tested: 7.4.33, 8.0.30, 8.1.27, 8.2.17 and 8.3.4

• Opcache: opcache.error_log = /var/log/php8.3/opcache.log opcache.log_verbosity_level = 2 opcache.max_accelerated_files = 16229 opcache.max_file_size = 4194304 opcache.max_wasted_percentage = 1 opcache.memory_consumption = 320 opcache.revalidate_freq = 0

• /etc/php/8.3/fpm/php.ini doc_root = /var/jail/deny/ open_basedir = /var/jail/deny/ sys_temp_dir = /var/jail/allow/

• /var/jail/ drwxr-xr-x 5 root root 4096 2024-04-03 21:14 ./ drwxr-xr-x 13 root root 4096 2024-03-04 14:38 ../ drwx------ 2 root root 4096 2024-04-03 20:48 deny/ drwx------ 2 www-vhost root 4096 2024-04-03 21:16 allow/

• /etc/php/8.3/fpm/conf.d/99-vhosts.ini [PATH=/vhosts/www.website.tld] doc_root = /vhosts/www.website.tld/html/ open_basedir = /vhosts/www.website.tld/ sys_temp_dir = /vhosts/www.website.tld/var/tmp/

• /vhosts/www.website.tld/var/ drwxr-x--- 6 root www-vhost 4096 2021-09-15 23:16 ./ drwxr-x--- 7 root www-vhost 4096 2024-03-02 00:52 ../ drwxr-x--- 2 www-vhost www-vhost 4096 2024-04-03 20:35 tmp/

• phpinfo: Directive Local Value Master Value doc_root /vhosts/www.website.tld/html/ /var/jail/deny/ open_basedir /vhosts/www.website.tld/ /var/jail/deny/ sys_temp_dir /vhosts/www.website.tld/var/tmp/ /var/jail/allow/

So far so good... ^^

But, what really happens, is that some temporary files are still created/written in "/var/jail/allow/" directory:

# inotifywait -m -r /var/jail/ Setting up watches. Beware: since -r was given, this may take a while! Watches established. /var/jail/allow/ CREATE phpoWnujz /var/jail/allow/ OPEN phpoWnujz /var/jail/allow/ MODIFY phpoWnujz /var/jail/allow/ MODIFY phpoWnujz /var/jail/allow/ ACCESS phpoWnujz /var/jail/allow/ CLOSE_WRITE,CLOSE phpoWnujz /var/jail/allow/ DELETE phpoWnujz

Please note that path "/var/jail/allow/" is outside "open_basedir" directory and PHP does not yield any warning or error.

Also, if "sys_temp_dir" master value is set to a path not readable/writable by PHP ("www-vhost" in this case), temporary files are not created at all, even if phpinfo() says that "/vhosts/www.website.tld/var/tmp/" is used.

If you need more infos, please ask!

Have a great day and many, many thanks for PHP. :)

PHP Version

PHP 7.4.33 PHP 8.0.30 PHP 8.1.27 PHP 8.2.17 PHP 8.3.4

Operating System

Debian 12 (bookworm)

[trendymail]

Did I say something wrong?

Please, feel free to close this as "bogus".

Or just send me a RTFM link! :)