PHP :: Request #20054 :: safe_mode_include_dir not being used correctly

Request #20054

safe_mode_include_dir not being used correctly

Submitted:

2002-10-24 02:49 UTC

Modified:

2010-11-18 12:32 UTC

Votes:	29
Avg. Score:	4.3 ± 1.1
Reproduced:	21 of 22 (95.5%)
Same Version:	5 (23.8%)
Same OS:	5 (23.8%)

From:

public at cs dot uwa dot edu dot au

Assigned:

Status:

Wont fix

Package:

Safe Mode/open_basedir

PHP Version:

4.3.0-dev

OS:

Linux - Redhat 7.3

Private report:

CVE-ID:

None

View Developer Edit

[2002-10-24 02:49 UTC] public at cs dot uwa dot edu dot au

    This is possibly related to Bug #17858.

    We've got Apache2 on Redhat 7.3, with safemode in php enabled.  We have safe_mode_gid set to on as well.  The safe_mode include directory is set as follows:
safe_mode_include_dir = "/home/staff/ryan/WWW"


I've then got the test script:

<?php
if ($dir = opendir("/home/staff/ryan/WWW"))
        {while (($file = readdir($dir)) !== false) {
            echo "$file\n";
          }
          closedir($dir);
        } else {
                echo "FAILED";
        }
?>

     That script has the following ownership permissions:
-rw-r--r--    1 web   nobody        229 Oct 24 15:31 test2.php

      And /home/staff/ryan/WWW is:
drwxr-xr-x    5 ryan     staff        4096 Oct 21 17:30 WWW

      Calling the script displays "FAILED" on the browser and causes the two following errors in the error log:
PHP Warning:  opendir() [<a href='http://www.php.net/function.opendir'>function.opendir</a>]: SAFE MODE Restriction in effect.  The script whose uid/gid is 89/99 is not allowed to access /home/staff/ryan/WWW/ owned by uid/gid 270/110 in /home/www/DOCS/phptest/test2.php on line 3
PHP Warning:  opendir(/home/staff/ryan/WWW/) [<a href='http://www.php.net/function.opendir'>function.opendir</a>]: failed to open dir: Inappropriate ioctl for device in /home/www/DOCS/phptest/test2.php on line 3


     Changing the ownership permissions to the same user and/or group causes the script to execute fine, displaying the contents with no problems or errors.

      It would appear that the safe_mode_include_dir value is not being used, but I'm also open to the suggesion that I've stuffed up somewhere else.

      For the record, I originally started having problems with 4.2.2 (user and group returned as -1) this was fixed upgrading to 4.3.0-pre1, but then the include_dir still had problems.  I've tested it with today's snapshot (php4-200210232100) and still have the same problem.

      My config options looks like :
./configure --with-mysql=/usr/local/mysql --with-openssl --with-xml --enable-track-vars --enable-force-cgi-redirect --enable-versioning --with-apxs2=/usr/local/httpd/bin/apxs --with-zlib --enable-ftp --enable-sockets --with-gettext --with-imap=/usr/local/imap --with-imap-ssl

      Ummm, help?

      Cheers, 
             Ryan.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-10-24 12:17 UTC] sniper@php.net

Correct version (user tried with snapshot too..)

[2002-10-30 11:37 UTC] iliaa@php.net

The current implementation of safe_mode_include_dir only allows require/include functions to bypass safe_mode. I've began a discussion on php-dev on whether or not this should be expanded to include other file operations. If you have an opinion on the matter, make it known there (php-dev).

[2002-11-02 01:30 UTC] vegaspctech at yahoo dot com

I've got Apache 2 and PHP 4.3.0-dev on Red Hat 7.2 with /usr/share/pear in safe_mode_include_dir and I get "SAFE MODE Restriction in effect.  The script whose uid is 502 is not allowed to access /usr/share/pear/Mail.php owned by uid 0" etc., with 'require_once( "Mail.php" );' and 'require( "Mail.php" );' and 'include( "Mail.php" );' and 'include( "/usr/share/pear/Mail.php" );' and every other variation I can think to try.

[2002-11-20 00:53 UTC] public at cs dot uwa dot edu dot au

Just for the record, I wrote a patch for this to allow for paths to be excluded from the safemode checks basically the same as the include value does.  Posted that the the developers list asking if anyone was interested, enver got a reply, so I thought I'd add it in here for completeness sake.

    If anyone has any suggestions with what I can do with the patch, let me know :}

[2003-07-21 19:06 UTC] iliaa@php.net

The safe_mode_include_dir as it's name suggests is specifically tailored to allow include/require exceptions that are READ only. If what you ask is to be implemented it could open a number of security holes by allowing write/create/overwrite access to execluded directories. The corect solution would be to add another directive where you could specify a list of excluded directories inside user will have full access regardless of safe_mode. Since this already more of a feature request rather then a bug I am marking it as such.

[2004-03-29 03:53 UTC] 99 at 9988 dot idv dot tw

[2010-11-18 12:32 UTC] jani@php.net

-Status: Analyzed +Status: Wont fix -Package: Feature/Change Request +Package: Safe Mode/open_basedir

[2010-11-18 12:32 UTC] jani@php.net

Safe mode will be gone soon. This will never happen in older releases either.

[2022-03-23 05:23 UTC] giw42161 at uooos dot com

Century Law Firm is the best team of lawyers for divorce case, Drt Case, High Court Matter, Civil and Criminal Cases and more in Delhi. 
(https://centurylawfirm.in/)gist.github.com

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Nov 30 21:00:01 2025 UTC