PHP touch() is not affected by file permissions?

Question

I have setup a demo "admin" website with all file permissions set to 555 for directories and 444 for files so that any "save" functionality is disabled. So far so good.

However, I noticed that the PHP touch() function is unaffected by file permissions? I am successfully running PHP touch() on directories that have no-WRITE permissions (555). Seems a bit odd. Is this intended behavior (PHP 7.2)?

I am trying to prevent touch() from being able to execute (via file permissions), but can't currently see how this is possible.

Thanks.

The operating system enforces permissions, PHP can't get around them unless somehow it's running as `root`. — Barmar, Mar 07 '18 at 18:04
@fantasticrice I believe yes. The user is the owner and www. It can't write to anything without "write" permissions though https://d.pr/i/Ai4NqC, but it seems it's able to touch(). — suncat100, Mar 07 '18 at 18:06
The owner of a file is allowed to change its timestamps, even without write permission. — Barmar, Mar 07 '18 at 18:07
@Barmar ok, thanks. I wonder if there is any way around this without having to change the owner of the file, which seems tedious. — suncat100, Mar 07 '18 at 18:09

score 1 · Accepted Answer · answered Mar 07 '18 at 18:12

1

From the utimes(3) documentation:

The effective user ID of the process shall match the owner of the file, or has write access to the file or appropriate privileges to use this call in this manner.

So the owner can update the timestamps even without write access. You need to change the ownership of the files so they're not the same as the user running the PHP script.

If this is a problem, maybe you should use some other method to keep track of changes that the file modification times.

answered Mar 07 '18 at 18:12

Barmar

741,623
53
500
612

I guess I could change ownership of the single directory where I need to prevent `touch()`. Will just have to remember to temporarily set it back when I make updates from the original owner. Thanks! – suncat100 Mar 07 '18 at 18:15
Ownership of the directory is irrelevant, only the file ownership matters. – Barmar Mar 07 '18 at 18:16
But the touch() function is executed on a directory. Not files within. – suncat100 Mar 07 '18 at 18:17
That wasn't clear from the question. What matters is the ownership of whatever the argument to `touch()` is. If you're only touching the directory, then the file permissions are irrelevant. – Barmar Mar 07 '18 at 18:19
I'm not quite sure what we are discussing now. Your answer helped. If I change ownership of the directory, the touch() function cannot execute on this directory. Perfect. – suncat100 Mar 07 '18 at 18:21
I just assumed in my answer that you were touching the files, not the directory. – Barmar Mar 07 '18 at 18:22
1

As far as `touch()` is concerned, there's not really any difference between files and directories. – Barmar Mar 07 '18 at 18:22
FYI: Our applications reads `filemtime` of a specific directory to check if cache for the application should be refreshed. Thus, I don't want the touch() to be able to execute on this dir when no changes were made. There are no other touch() functions executed on files or any other dirs. – suncat100 Mar 07 '18 at 18:24

PHP touch() is not affected by file permissions?

1 Answers1