From: aheckmann at m-s dot de Operating system: Windows 2000 / IIS PHP version: 5.2.3 PHP Bug Type: IIS related Bug description: exec, passthru, popen... don't passthru Impersonation context
Description: ------------ I run php as fastcgi on Win2000 / IIS with Zend Enabler (FASTCGI-Handler). The Webserver uses impersonation for its virtual hosts, the worker process is running as user IWAM_SERVERNAME the scripts (.asp/.php) impersonate to the security context of user IUSR_SERVERNAME. In fastcgi.conf (for ZendEnabler) Impersonate="1" is set, in php.ini fcgi.impersonate=1 is set. So the php scripts now also use the impersonated security context. (As expected.) But if I start a external process (Imagemagick) with exec(),passthru(),popen() or proc_open() this external process uses the default security context in my example the user IWAM_SERVERNAME. So all the permissions set for the virtual host user (IUSR_SERVERNAME) do not work for the external process because it runs as IWAM_SERVERNAME and so I get a permission denied. As I understand this is the default behaviour in windows process modell when creating a new process with WinApi-function CreateProcess(). In my opinion it would be better to use CreateProcessAsUser() in php so the new Process will also use the impersonated SecurityContext. (when php.ini fcgi.impersonate=1 is set) I think this feature would be very useful to keep security in virtual hosting environments on IIS high (seperate permissions for virtual hosts), with the upcoming Microsoft-FCGI-ISAP-Handler the IIS installations with PHP will surely raise and this feature will become much more relevant. -- Edit bug report at http://bugs.php.net/?id=41768&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=41768&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=41768&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=41768&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=41768&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=41768&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=41768&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=41768&r=needscript Try newer version: http://bugs.php.net/fix.php?id=41768&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=41768&r=support Expected behavior: http://bugs.php.net/fix.php?id=41768&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=41768&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=41768&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=41768&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=41768&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=41768&r=dst IIS Stability: http://bugs.php.net/fix.php?id=41768&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=41768&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=41768&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=41768&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=41768&r=mysqlcfg
