New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Display false warning when run as non-root user with setuid bit set #7758
Comments
The current conditional can be found here, and probably needs some double checking / adjustment: composer/src/Composer/Console/Application.php Lines 202 to 215 in 837ad7c
|
Maybe setuid doesn't change what posix_getuid() returns.. I am not super familiar with it. Anyway not a huge deal IMO but if you manage to fix it feel free to send a PR. |
I think it is about the difference between the effective and the real user ID: |
I tried changing from
|
What do you get if you run `php -r 'var_dump(posix_geteuid());'` ? I get 0 as root for both getuid and geteuid. Are you sure PHP is running as root in your test?
|
I tested EUID behavior after reading those good explications : Here my test:
And here the results:
So if we execute a script with RUID set to root, we can switch the EUID as we wish during process, and from I know:
|
Right, so I think keeping the root warning makes sense even if seteuid was used. Closing this. |
I am getting different ids. Have you both configured your
Also I don't know how it is relevant to apache process ? I think composer uses CLI-SAPI. So any script that will be executed by CLI-SAPI with setuid bit set on it, should be take the ownership of that CLI-SAPI. Please correct me if I am wrong. |
@dbjpanda I think you're right but if |
I configured my php executable i.e /usr/local/bin/php with a setuid for user deploy. So that if any user calls that php binary it should be executed as deploy only. As you can see below php binary is chowned by a non-root user deploy.
Output getting
Do not run Composer as root/super user! .
Expected result:
I shouldn't get that warning as php binary is owned by
deployand setuid bit is set.
However even if executing php composer.phar install as root the vendor dir created is owned by deploy. Infact the composer process ignores the setuid bit but when it creates any file/dir it obey setuid.
I inserted below inside the composer.phar and get the right user i.e deploy but with a warning Don't call as root .
Output of
composer diagnose
:The text was updated successfully, but these errors were encountered: