-1

When I use PHP's move_uploaded_file function to upload files in to a directory, those files have the label httpd_sys_rw_content_t and inherit the parent directory's ACLs. If I configure PHP to use a custom created temp directory, the uploaded files are instead labelled httpd_tmp_t and lose the ACL.

What causes this to happen?

The temp directory resides in /var/www/project/tmp. It has a mode of 1777 and a label of tmp_t.

The upload directory resides in /var/www/project/uploads and is writable by the PHP process and has a label of httpd_sys_rw_content_t. Files created inside it also have this label and inherit the ACLs of its parent, except in this strange case.

I would say this is the result of moving files from one location to another, but why does it not do this for /tmp?

  • Rocky Linux 8
  • PHP 8.1
jamieburchell
  • 761
  • 1
  • 5
  • 18
  • Show your upload script please – Ken Lee May 18 '23 at 15:02
  • @KenLee This sounds like something being done automatically by the OS, not the script. – Barmar May 18 '23 at 15:34
  • @KenLee this isn't specific to any particular upload script. I can repro it on several different web apps that use move_uploaded_file. Certainly, those apps are not doing any other file operations on those files. – jamieburchell May 18 '23 at 15:57
  • Just to make sure that you will not accidentally concatenate the source into the target. – Ken Lee May 18 '23 at 16:08

1 Answers1

0

There is a file transition saying that when a process with the type httpd_t creates a file in a directory with the type tmp_t, it applies the type httpd_tmp_t.

If you are expecting the httpd_sys_rw_content_t type for the files created in this directory, you should set this type to the directory:

semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/project/tmp(/.*)?"
restorecon -RF /var/www/project/tmp
setenforce 1
  • 186
  • 3
  • But `/tmp` (or where systemd's private temp ultimately is in `/tmp`) doesn't have `httpd_sys_rw_content_t` as far as I can tell, yet the files end up inheriting that context from the uploads directory. – jamieburchell May 20 '23 at 06:06