the chmod change i already had within the changelog (by mistake). This should further secure writable directories and created files.

Installation need to be tested on different hosts.

git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@8763 89ea8834-ac86-4346-8a33-228a782c2dd0

phpBB/includes/acm/acm_file.php

@@ -93,7 +93,7 @@ class acm
 			@flock($fp, LOCK_UN);
 			fclose($fp);
 
-			@chmod($this->cache_dir . 'data_global.' . $phpEx, 0666);
+			phpbb_chmod($this->cache_dir . 'data_global.' . $phpEx, 'rwrite');
 		}
 		else
 		{
@@ -197,7 +197,7 @@ class acm
 				@flock($fp, LOCK_UN);
 				fclose($fp);
 
-				@chmod($this->cache_dir . "data{$var_name}.$phpEx", 0666);
+				phpbb_chmod($this->cache_dir . "data{$var_name}.$phpEx", 'rwrite');
 			}
 		}
 		else
@@ -416,7 +416,7 @@ class acm
 			@flock($fp, LOCK_UN);
 			fclose($fp);
 
-			@chmod($filename, 0666);
+			phpbb_chmod($filename, 'rwrite');
 
 			$query_result = $query_id;
 		}

phpBB/includes/acp/acp_attachments.php

@@ -1196,7 +1196,7 @@ class acp_attachments
 			if (!file_exists($phpbb_root_path . $upload_dir))
 			{
 				@mkdir($phpbb_root_path . $upload_dir, 0777);
-				@chmod($phpbb_root_path . $upload_dir, 0777);
+				phpbb_chmod($phpbb_root_path . $upload_dir, 'rwrite');
 			}
 		}
 

phpBB/includes/acp/acp_language.php

@@ -277,7 +277,7 @@ class acp_language
 							{
 								trigger_error("Could not create directory $dir", E_USER_ERROR);
 							}
-							@chmod($dir, 0777);
+							phpbb_chmod($dir, 'write-all');
 						}
 					}
 				}

phpBB/includes/functions.php

@@ -459,6 +459,108 @@ function _hash_crypt_private($password, $setting, &$itoa64)
 	return $output;
 }
 
+/**
+* Global function for chmodding directories and files.
+* This function supports different modes to distinguish between writeable/non-writeable.
+* The function sets the appropiate execute bit on directories
+*
+* Supported modes are:
+*
+* rread (600):		Restrictive, only able to be read/write by the apache/site user.
+*					Used for files which only need to be accessible by phpBB itself and should never be accessible from the outside/web.
+* read (644):		Read-only permission for the site group/everyone. Used for ordinary files.
+* write (664):		Write-permission for the site group, read permission for everyone. Used for writeable files.
+* write-all (666):	Write-permission for everyone. Should only be used for temporary files.
+*
+* rwrite (0660):	Write-permission only for the site user/group. Used for files phpBB need to write to but within the cache/store/files directory.
+*
+* NOTE: If rwrite (restrictive write) is used, the function makes sure the file is writable by calling is_writable. If it is not, it falls back to 'write'
+* and then to 'write-all' to make sure the file is writable on every host setup.
+* NOTE: If rread (restrictive read) is used, the function makes sure the file is readable by calling is_readable. If it is not, it falls back to 'sread' (internal mode 640) and then to 'read'.
+*
+* @param $filename The file/directory to be chmodded
+* @param $mode The mode to set.
+* @return True on success, false if the mode was not set
+*/
+function phpbb_chmod($filename, $mode = 'read')
+{
+	switch ($mode)
+	{
+		case 'rread':
+			$chmod = 0600;
+		break;
+
+		// System-read, only used internally
+		case 'sread':
+			$chmod = 0640;
+		break;
+
+		case 'rwrite':
+			$chmod = 0660;
+		break;
+
+		case 'write':
+			$chmod = 0664;
+		break;
+
+		case 'write-all':
+			$chmod = 0666;
+		break;
+
+		case 'read':
+		default:
+			$chmod = 0644;
+		break;
+	}
+
+	// Return if the file no longer exist
+	if (!file_exists($filename))
+	{
+		return false;
+	}
+
+	// Add the execute bit if it is a directory
+	if (is_dir($filename))
+	{
+		// This line sets the correct execute bit on those "3-bits" being defined. 0644 becomes 0755 for example.
+		$chmod |= ($chmod & 7) ? 73 : (($chmod & 56) ? 72 : 64);
+	}
+
+	// Set mode
+	$result = @chmod($filename, $chmod);
+
+	// Check for is_writable
+	if ($mode == 'rwrite')
+	{
+		// We are in rwrite mode, so, make sure the file is writable
+		if (!is_writable($filename))
+		{
+			$result = phpbb_chmod($filename, 'write');
+
+			if (!is_writable($filename))
+			{
+				$result = phpbb_chmod($filename, 'write-all');
+			}
+		}
+	}
+
+	// Check for is_readable
+	if ($mode == 'rread')
+	{
+		if (!is_readable($filename))
+		{
+			$result = phpbb_chmod($filename, 'sread');
+
+			if (!is_readable($filename))
+			{
+				$result = phpbb_chmod($filename, 'read');
+			}
+		}
+	}
+
+	return $result;
+}
+
 // Compatibility functions
 
 if (!function_exists('array_combine'))

phpBB/includes/functions_compress.php

@@ -228,7 +228,7 @@ class compress_zip extends compress
 									{
 										trigger_error("Could not create directory $folder");
 									}
-									@chmod($str, 0777);
+									phpbb_chmod($str, 'rwrite');
 								}
 							}
 						}
@@ -257,7 +257,7 @@ class compress_zip extends compress
 								{
 									trigger_error("Could not create directory $folder");
 								}
-								@chmod($str, 0777);
+								phpbb_chmod($str, 'rwrite');
 							}
 						}
 					}
@@ -544,7 +544,7 @@ class compress_tar extends compress
 								{
 									trigger_error("Could not create directory $folder");
 								}
-								@chmod($str, 0777);
+								phpbb_chmod($str, 'rwrite');
 							}
 						}
 					}
@@ -571,7 +571,7 @@ class compress_tar extends compress
 							{
 								trigger_error("Could not create directory $folder");
 							}
-							@chmod($str, 0777);
+							phpbb_chmod($str, 'rwrite');
 						}
 					}
 
@@ -580,7 +580,7 @@ class compress_tar extends compress
 					{
 						trigger_error("Couldn't create file $filename");
 					}
-					@chmod($target_filename, 0777);
+					phpbb_chmod($target_filename, 'rwrite');
 
 					// Grab the file contents
 					fwrite($fp, ($filesize) ? $fzread($this->fp, ($filesize + 511) &~ 511) : '', $filesize);

phpBB/includes/functions_messenger.php

@@ -562,7 +562,7 @@ class queue
 
 		$fp = @fopen($this->cache_file . '.lock', 'wb');
 		fclose($fp);
-		@chmod($this->cache_file . '.lock', 0666);
+		phpbb_chmod($this->cache_file . '.lock', 'write-all');
 
 		include($this->cache_file);
 
@@ -697,7 +697,7 @@ class queue
 				@flock($fp, LOCK_UN);
 				fclose($fp);
 
-				@chmod($this->cache_file, 0666);
+				phpbb_chmod($this->cache_file, 'rwrite');
 			}
 		}
 
@@ -738,7 +738,7 @@ class queue
 			@flock($fp, LOCK_UN);
 			fclose($fp);
 
-			@chmod($this->cache_file, 0666);
+			phpbb_chmod($this->cache_file, 'rwrite');
 		}
 	}
 }

phpBB/includes/functions_posting.php

@@ -729,7 +729,7 @@ function create_thumbnail($source, $destination, $mimetype)
 		return false;
 	}
 
-	@chmod($destination, 0666);
+	phpbb_chmod($destination, 'rwrite');
 
 	return true;
 }

phpBB/includes/functions_template.php

@@ -755,7 +755,7 @@ class template_compile
 			@flock($fp, LOCK_UN);
 			@fclose($fp);
 
-			@chmod($filename, 0666);
+			phpbb_chmod($filename, 'rwrite');
 		}
 
 		return;

phpBB/includes/functions_upload.php

@@ -263,10 +263,11 @@ class filespec
 	*
 	* @param string $destination_path Destination path, for example $config['avatar_path']
 	* @param bool $overwrite If set to true, an already existing file will be overwritten
-	* @param octal $chmod Permission mask for chmodding the file after a successful move
+	* @param string $chmod Permission mask for chmodding the file after a successful move. The mode entered here reflects the mode of phpbb_chmod()
 	* @access public
+	* @see phpbb_chmod()
 	*/
-	function move_file($destination, $overwrite = false, $skip_image_check = false, $chmod = 0666)
+	function move_file($destination, $overwrite = false, $skip_image_check = false, $chmod = 'rwrite')
 	{
 		global $user, $phpbb_root_path;
 
@@ -345,7 +346,15 @@ class filespec
 				break;
 			}
 
-			@chmod($this->destination_file, $chmod);
+			// Backward compatibility - in versions prior to 3.0.3 $chmod was an octal
+			if (!is_string($chmod))
+			{
+				@chmod($this->destination_file, $chmod);
+			}
+			else
+			{
+				phpbb_chmod($this->destination_file, $chmod);
+			}
 		}
 
 		// Try to get real filesize from destination folder

phpBB/install/install_install.php

@@ -438,16 +438,14 @@ class install_install extends module
 			if (!file_exists($phpbb_root_path . $dir))
 			{
 				@mkdir($phpbb_root_path . $dir, 0777);
-				@chmod($phpbb_root_path . $dir, 0777);
+				phpbb_chmod($phpbb_root_path . $dir, 'rwrite');
 			}
 
 			// Now really check
 			if (file_exists($phpbb_root_path . $dir) && is_dir($phpbb_root_path . $dir))
 			{
-				if (!@is_writable($phpbb_root_path . $dir))
+				// Make writeable only for apache user
-				{
+				phpbb_chmod($phpbb_root_path . $dir, 'rwrite');
-					@chmod($phpbb_root_path . $dir, 0777);
-				}
 				$exists = true;
 			}
 
@@ -877,7 +875,7 @@ class install_install extends module
 		}
 		@fclose($fp);
 
-		@chmod($phpbb_root_path . 'cache/install_lock', 0666);
+		phpbb_chmod($phpbb_root_path . 'cache/install_lock', 'write-all');
 
 		$load_extensions = implode(',', $load_extensions);
 
@@ -930,7 +928,8 @@ class install_install extends module
 
 			if ($written)
 			{
-				@chmod($phpbb_root_path . 'config.' . $phpEx, 0644);
+				// Readable by apache user/group, not by any other means
+				phpbb_chmod($phpbb_root_path . 'config.' . $phpEx, 'rread');
 			}
 		}