I have setup a demo "admin" website with all file permissions set to 555 for directories and 444 for files so that any "save" functionality is disabled. So far so good.
However, I noticed that the PHP touch() function is unaffected by file permissions? I am successfully running PHP touch() on directories that have no-WRITE permissions (555). Seems a bit odd. Is this intended behavior (PHP 7.2)?
I am trying to prevent touch() from being able to execute (via file permissions), but can't currently see how this is possible.
Thanks.
From the utimes(3) documentation:
The effective user ID of the process shall match the owner of the file, or has write access to the file or appropriate privileges to use this call in this manner.
So the owner can update the timestamps even without write access. You need to change the ownership of the files so they're not the same as the user running the PHP script.
If this is a problem, maybe you should use some other method to keep track of changes that the file modification times.