Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fpm: relax log permissions (bug #61435) #771

Closed
wants to merge 1 commit into from

Conversation

Lekensteyn
Copy link

Do not unconditionally set permissions for access_log, error_log and slow_log to
0600, instead default to 0644 and allow the administrator to set tightier
permissions as needed (using umask).

This makes the logs more accessible to developers which are unlikely to run as
the PHP server user.


bug 61435 has been open for too long, let's try to carry it upstream in this way.

Do not unconditionally set permissions for access_log, error_log and slow_log to
0600, instead default to 0644 and allow the administrator to set tightier
permissions as needed (using umask).

This makes the logs more accessible to developers which are unlikely to run as
the PHP server user.
@ogrange
Copy link

ogrange commented Aug 14, 2014

Thanks!

@Lekensteyn
Copy link
Author

Ping?

@smalyshev
Copy link
Contributor

I'd talk to FPM maintainers, I think it's better to have safer settings by default...

@Lekensteyn
Copy link
Author

Administrators can still set umask to set tightier permissions.

Alternatively you could introduce a log.mode directive (or even more finegrained, error_log.mode, slowlog.mode, access_log.mode) to control the log permissions.

@Tyrael
Copy link
Member

Tyrael commented Nov 24, 2014

I think that a config option for controlling the mode for the logs would be nice, but I don't like the idea to change the default for everybody for a less secure value.

@ogrange
Copy link

ogrange commented Nov 24, 2014

@Lekensteyn the problem with the umask approach is that it will change it not only for php but also for all its subprocesses (includings users'), which may not be what is wanted.

A configuration is probably the best option here.

@krakjoe
Copy link
Member

krakjoe commented Jan 3, 2017

This has merge conflicts, and targets PHP5, in addition consensus seems to be that this approach is a bad one, so I'm closing this PR.

Please take this action as encouragement to work on the feature against a supported branch, using the suggestions you got from other contributors.

@krakjoe krakjoe closed this Jan 3, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants