Edit report at https://bugs.php.net/bug.php?id=46378edit=1
ID: 46378
Comment by: bigtrend at gmx dot us
Reported by:tomas dot hlavacek at telekomaustria dot cz
Summary:IIS7 FastCGI - upload_tmp_dir not working correctly
Status: Not a bug
Type: Bug
Package:*Configuration Issues
Operating System: Windows Server 2008
PHP Version:5.2.6
Block user comment: N
Private report: N
New Comment:
In addition can add that the following permissions exactly are required for
IIS_IUSRS to the PARENT folder:
1. Traverse folder/Execute file
2. List folder/ read data
3. Write attributes
4. Write extended attributes
It is strange, but read attributes is not required and also create
file/write
data is not required as well.
Hope it will help to protect your servers from the granting too many
permissions
for anonymous system accounts.
Previous Comments:
[2012-02-11 16:07:47] julientld at free dot fr
Hi Pierre Joye,
I have the same problem with an IIS 6 server with PHP 5.3.10 and FastCGI 1.5. I
want to use a custom temp directory for php file uploads.
If I set upload_tmp_dir=D:\Temp\ and set read and write acls for the user IUSR
on the Temp directory, upload fails.
As said by tomas, if we want the upload to function, the acls must also be set
on the parent directory (D:\). Obviously, I do not want to give IUSR write acls
to the whole partition !!
For the moment, I have created a sub-directory for php uploads (D:\Temp\php\).
I have given IUSR acls on \Temp and \php directories (not D:\) and uploads run
fine now.
But I would like to understand this phenomenon. If PHP can't write in a
directory if the parent directory does not have also same acls, it is a
specific behavior related to PHP or it is a Windows problem ?
For me it is a bug. It has no sense to be forced to give acls also to the
parent directory...
Thanks for your clarifications ;)
Julien
[2008-10-24 13:04:27] paj...@php.net
Not a bug bogus
[2008-10-24 12:51:07] tomas dot hlavacek at telekomaustria dot cz
Finally, I found the problem.
Listing on E: must be allowed for IIS_IUSRS:
E:\icacls e:
e: NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
BUILTIN\IIS_IUSRS:(S,RD)
[2008-10-24 12:20:01] tomas dot hlavacek at telekomaustria dot cz
Description:
Hello,
in php.ini I have set upload_tmp_dir directive to e:\php5-uploadtemp.
phpinfo() confirms, the directive is set to this value. But PHP is using
C:\Windows\Temp for uploading files instead. This is confirmed by printing
$_FILES['uploadedfile']['tmp_name'] in script.
Server configuration:
-
Windows Server 2008
IIS 7
PHP 5.2.6 as FastCGI module with fastcgi.impersonate = 1
phpcgi.exe processes are running with Network Service privileges (same as
w3wp.exe) and are impersonating to IUSR_xxx accounts (each customer has one).
IUSR_xxx accounts are members of IIS_IUSRS group.
Rights on folders:
C:\icacls c:\windows\temp
c:\windows\temp CREATOR OWNER:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
BUILTIN\Users:(CI)(S,WD,AD,X)
BUILTIN\IIS_IUSRS:(OI)(CI)(M)
C:\icacls e:\php5-uploadtemp
e:\php5-uploadtemp BUILTIN\IIS_IUSRS:(OI)(CI)(M)
BUILTIN\Administrators:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
Under Windows Server 2003, IIS6, PHP5 as CGI, with same configuration it was
working.
The rights should be ok, because I have also set session.save_path =
e:\php5-sessiondata with same rights as on e:\php5-uploadtemp and this is
working correctly.
Reproduce code:
---
?
...
print $_FILES['uploadedfile']['tmp_name'];
...
?
Expected result:
e:\php5-uploadtemp\php214E.tmp
Actual result:
--
C:\Windows\Temp\php214E.tmp
--
Edit this bug report at https://bugs.php.net/bug.php?id=46378edit=1
