A bit of a long shot here but thought I'd see if anyone had a fix for this:
I am having an issue whereby the PHP function unlink() is being able to successfully delete a file even though explicit deny NTFS permissions have been applied to the file in question. I have even tried removing all NTFS file permissions and the like - same outcome and it has me stumped.
FACTS
I have Apache 2.2.22 running PHP 5.4.5 on Windows Server 2008 R2
Apache/PHP are running under user EXODUS\wwwuser, proven by response to 'whoami' at command line from running PHP script - eg:
echo exec('whoami');returns
EXODUS\wwwuserThe file 'deleteme.txt' is created by a member of the 'BUILTIN\Administrators' group, explicity deny permissions are applied to the file for EXODUS\wwwuser - however, PHP's unlink() function successfully deletes the file.
I have tried this same thing by removing permission inheritance on this file, removing all permissions (including SYSTEM), and applying explicit deny 'FULL CONTROL' to EXODUS\wwwuser - guess what, unlink() still deletes the file...
EXODUS\wwwuser is a member of BUILTIN\Users, however this doesn't indicate that this would impact the situation.
File cannot be deleted by EXODUS\wwwuser when logged in interactively.
When files are written by PHP, file owner is 'EXODUS\wwwuser'
Does anyone have any thoughts on this?
How would I go about providing folders/files that cannot be deleted in a location via PHP's unlink() that are inside a defined 'open_basedir' area?
I'm using 'open_basedir' to stop scripts tampering with files outside of the declared open_basedir - this seems to be working fine - eg: can't delete files that are outside the location defined by 'open_basedir'.
