Check for user_id and group_id maybe broken

[gittoar]

User-ID: 33 Group-ID: 33

Yes, it is lower than 100 and therefore an issue but due to restrictions via PHP disable_functions the checks don't work via phpsecinfo.com, i.e. "Not Run Functions required to retrieve group ID not available".

So the SecurityInfo does not check the return-codes/-infos from phpsecinfo.com properly or the implementation differs from phpsecinfo.com. This is confusing and should be corrected and more documented for minimum debugging purpose. Thanks.

[dimejo]

I'm seeing this warning because PHP is running as UID and GID 48 (user apache).

/**
 * the minimum "safe" UID that php should be executing as.  This can vary,
 * but in general 100 seems like a good min.
 *
 */
define('PHPSECINFO_MIN_SAFE_UID', 100);

I couldn't find any reference why UIDs less than 100 (besides UID 0) are privileged and unsafe. UID 0-99 is reserved for system users and should not be used by applications according to LSB, but this doesn't automatically make them privileged and unsafe. Please change this test!

[fuzsin]

Same issue here… I’m still seeing the warnings about user_id and group_id being “privileged” users/groups in the SecurityInfo plugin. Here are my system details for the Apache user running PHP-FPM:

$ id apache
uid=48(apache) gid=48(apache) groups=48(apache)

These warnings seem misleading in this context 🤔