When safe mode is on php is unable to determine the uid of the running
script, it reports it as -1.  As you might imagine, this completely
breaks the utility of safe mode with respect to file access.  Also, the
same bug occurs when using safe_mode_gid (it reports the gid as -1 as
well).  Note that it does get the appropriate uid/gid for the file that
is attempted to be accessed.

I am running Apache 2.0.36 and the newest version of PHP (4.2.1).

I did some poking around and I think I found out what's going on.  In
ext/standard/pageinfo.c, php_statpage() tries to determine and stat the
running script file like so:

--------------------------------------------
       pstat = sapi_get_stat(TSRMLS_C);
   
        if (BG(page_uid)==-1 || BG(page_gid)==-1) {
                if(pstat) {
                        BG(page_uid)   = pstat->st_uid;
                        BG(page_gid)   = pstat->st_gid;
                        BG(page_inode) = pstat->st_ino;
                        BG(page_mtime) = pstat->st_mtime;
                }
        }
--------------------------------------------

pstat is not properly set by sapi_get_stat() (from main/SAPI.c) so the
page_uid et al values are not changed, and retain their defaults (-1).

I looked around a bit to see if I could make a workaround by stating the
script file without using sapi_get_stat but I couldn't figure out what
variable contained the script filename.

Little bit of extra info (which may or may not be helpful), OS version:
Linux version 2.4.7-10smp (bhcompile@stripples.devel.redhat.com) (gcc
version 2.96 20000731 (Red Hat Linux 7.1 2.96-98)) #1 SMP Thu 
Sep 6 17:09:31 EDT 2001

Apache config commands:
./configure --prefix=/usr/local/apache --enable-so
--enable-rewrite=shared --enable-ssl=shared --enable-suxec=shared

PHP config commands:
./configure --with-mysql=/usr/local/mysql
--with-apxs2=/usr/local/apache/bin/apxs

Update.

I installed the CVS release (4.3.0-dev) and the problem still exists
there.  I switched over to the CGI/commandline install of PHP (4.2.1)
and it works correctly (i.e. when safe_mode is on it gets the correct
uid of the file owner).

reclassify as an apache 2 issue

I hit the same problem too with apache 2.0.36/php 4.2.1. I figured out
where the problem was and fixed it. The apache2filter sapi module wasn't
implementing a get_stat function. You can grab the patch from:

http://www.brian-web.com/misc/apache2-php-safemode.patch

I'm not too familiar with the Apache2 or PHP source, so someone else
should probably take a look at it. Basically, it takes the apr_finfo_t
struct from apache and converts it back to a struct stat for php.

That patch I just posted is broken with Apache 2.0.39, apparently the
finfo struct isn't filled in 2.0.39 at the point that I was accessing
it. (Its all 0s). If you move the call to php_apr_finfo2stat to
php_apache_get_stat it works, but then its runs everytime
php_apache_get_stat is called, which I was trying to avoid.

While this may have been assigned as an Apache 2.x problem,
I observe safe_mode_gid not working for most GIDs, works
for a few, regardless whether the user's GID set includes
it.

The environment is Apache 1.3.26 with PHP 4.2.2 as a module,
under Solaris 2.8.

See <http://bugs.php.net/bug.php?id=17858> - patch available at
<http://www.slamb.org/php-apache2-safemode.patch>.

Must be fixed before 4.3.0

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

I have the same problem with safe mode "uid -1" in apache 1.3.27 php
4.2.3 on Redhat 7.1