php.ini INI_SYSTEM: local value of "sys_temp_dir" does not overide master value and can bypass "open_basedir" (not a security issue FMPOV)

[trendymail]

Description

Hello!

I really hope this "issue" is not a duplicate: found nothing specific about this behavior in open/closed issues or mailing list archives.

Long story short: parameter "sys_temp_dir" does not seem to work as intended when overridden in a specific vhost.

• Linux VPS - Debian 12 (bookworm) - 32 vCore - 32 Go RAM - 4 Go SWAP

• PHP versions tested: 7.4.33, 8.0.30, 8.1.27, 8.2.17 and 8.3.4

• Opcache:
  opcache.error_log = /var/log/php8.3/opcache.log
opcache.log_verbosity_level = 2
opcache.max_accelerated_files = 16229
opcache.max_file_size = 4194304
opcache.max_wasted_percentage = 1
opcache.memory_consumption = 320
opcache.revalidate_freq = 0

• /etc/php/8.3/fpm/php.ini
  doc_root = /var/jail/deny/
open_basedir = /var/jail/deny/
sys_temp_dir = /var/jail/allow/

• /var/jail/
  drwxr-xr-x 5 root root 4096 2024-04-03 21:14 ./
drwxr-xr-x 13 root root 4096 2024-03-04 14:38 ../
drwx------ 2 root root 4096 2024-04-03 20:48 deny/
drwx------ 2 www-vhost root 4096 2024-04-03 21:16 allow/

• /etc/php/8.3/fpm/conf.d/99-vhosts.ini
  [PATH=/vhosts/www.website.tld]
doc_root = /vhosts/www.website.tld/html/
open_basedir = /vhosts/www.website.tld/
sys_temp_dir = /vhosts/www.website.tld/var/tmp/

• /vhosts/www.website.tld/var/
  drwxr-x--- 6 root www-vhost 4096 2021-09-15 23:16 ./
drwxr-x--- 7 root www-vhost 4096 2024-03-02 00:52 ../
drwxr-x--- 2 www-vhost www-vhost 4096 2024-04-03 20:35 tmp/

• phpinfo:
  Directive Local Value Master Value
doc_root /vhosts/www.website.tld/html/ /var/jail/deny/
open_basedir /vhosts/www.website.tld/ /var/jail/deny/
sys_temp_dir /vhosts/www.website.tld/var/tmp/ /var/jail/allow/

So far so good... ^^

But, what really happens, is that some temporary files are still created/written in "/var/jail/allow/" directory:

# inotifywait -m -r /var/jail/
Setting up watches. Beware: since -r was given, this may take a while!
Watches established.
/var/jail/allow/ CREATE phpoWnujz
/var/jail/allow/ OPEN phpoWnujz
/var/jail/allow/ MODIFY phpoWnujz
/var/jail/allow/ MODIFY phpoWnujz
/var/jail/allow/ ACCESS phpoWnujz
/var/jail/allow/ CLOSE_WRITE,CLOSE phpoWnujz
/var/jail/allow/ DELETE phpoWnujz

Please note that path "/var/jail/allow/" is outside "open_basedir" directory and PHP does not yield any warning or error.

Also, if "sys_temp_dir" master value is set to a path not readable/writable by PHP ("www-vhost" in this case), temporary files are not created at all, even if phpinfo() says that "/vhosts/www.website.tld/var/tmp/" is used.

If you need more infos, please ask!

Have a great day and many, many thanks for PHP. :)

PHP Version

PHP 7.4.33 PHP 8.0.30 PHP 8.1.27 PHP 8.2.17 PHP 8.3.4

Operating System

Debian 12 (bookworm)

[trendymail]

Did I say something wrong?

Please, feel free to close this as "bogus".

Or just send me a RTFM link! :)