PHP :: Bug #23696 :: safe_mode uid test in apache chroot

Bug #23696

safe_mode uid test in apache chroot

Submitted:

2003-05-19 08:05 UTC

Modified:

2003-06-29 20:51 UTC

Votes:	6
Avg. Score:	5.0 ± 0.0
Reproduced:	6 of 6 (100.0%)
Same Version:	5 (83.3%)
Same OS:	4 (66.7%)

From:

veins at skreel dot org

Assigned:

Status:

Not a bug

Package:

*General Issues

PHP Version:

4.3.1

OS:

Unix

Private report:

CVE-ID:

None

View Developer Edit

[2003-05-19 08:05 UTC] veins at skreel dot org

I am running apache in a chroot() and figured out yesterday that it breaks the uid checks in safe mode.

From what i understood, php *emulates* setuid scripts by checking ownership of a file before accessing it from another. This could theoritically be done by calling stat() on the file and checking the st_uid field but for some reason, it appears that if the user database is not in the chroot, php will fail the checks, to be more precise, the check will always appear to be valid (i suspect this from being the result of a comparison between two error values).

This means that:
<?
  include('someonesfile');  // will succeed

  echo getmyuid();          // the uid of owner of file
                            // not from apache's child
?>

since getmyuid() shows me the uid of owner of file, then it proves me that uid of owner of file is successfully detected (stat() ?) and since include() succeeds (unless i start copying all the user and group files in chroot) despite the fact that the owner of 'someonesfile' is not equal to value of getmyuid(), it makes me think that a getpw*() function call is being used for some reason that I couldnt figure out yet.

I didnt get a chance yet to look deep inside the source code since im ill, so the reasons of why this happens are plain suppositions but the problems occurs. Im sorry if I am not clear, mail me and I try explain in a more clear way. I will try to get some free time this week to figure this out since its quite annoying but maybe a developper could explain brievely how the checks are done ?

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-05-22 09:18 UTC] veins at skreel dot org

i have played a bit with this issue and figured out the following:

still in my chrooted environement:
<? include("./file"); ?> triggers the safe_mode error

<? include("file"); ?> works when it should not

i am currently reading the sources but need some time to understand a few things (lots of weird macros, lots of strange functions, and what files do what)  :)

any help in fixing this issue will be greatly appreciated

[2003-06-29 20:51 UTC] iliaa@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

 include("./file"); tries to open a file from the current directory, while include("file"); will try to open file from any path listed in include_path. One of those may very well match something you safe_mode allows, hence the working include.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2026 The PHP Group All rights reserved.	Last updated: Wed Feb 04 01:00:01 2026 UTC