PHP :: Bug #14448 :: exec()-like calls are done with webserver uid

Bug #14448	exec()-like calls are done with webserver uid
Submitted:	2001-12-12 06:17 UTC	Modified:	2001-12-12 08:26 UTC
From:	veins at skreel dot org	Assigned:
Status:	Not a bug	Package:	Unknown/Other Function
PHP Version:	4.1.0	OS:	Unix
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	veins at skreel dot org
New email:
PHP Version:		OS:

New/Additional Comment:

[2001-12-12 06:17 UTC] veins at skreel dot org

When safe_mode is enabled, exec()-like calls are still done with the webserver uid, letting users execute any server scripts owned by 'www' (for example).

In the case that php_safe_dir = /usr/local/phpexec:

# chmod 700 /usr/local/phpexec
# chown www.www /usr/local/phpexec

inside i put the following sh script:

#!/bin/sh
#
echo `id`

Now i log in as user 'veins', make a php script with the following:

<? exec("/usr/local/phpexec/id.sh", $value, $return);
   echo $value[0]; ?>

when i go to  ~veins/id.php  i get the following:

uid=67(www) gid=67(www) groups=67(www)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-12-12 06:43 UTC] sander@php.net

Not a bug. Expected behaviour. RTM.
Safemode != suEXEC or something like that.

[2001-12-12 08:26 UTC] hholzgra@php.net

it is (AFAIK) not even possible to change the
UID for anyone but 'root'?

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 01:00:02 2025 UTC