php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #28394 Enhancements to safe_mode that will actually make people want to use it.
Submitted: 2004-05-14 11:48 UTC Modified: 2004-05-22 01:00 UTC
From: danm at prime dot gushi dot org Assigned:
Status: No Feedback Package: Feature/Change Request
PHP Version: 4.3.6 OS: Any
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: danm at prime dot gushi dot org
New email:
PHP Version: OS:

 

 [2004-05-14 11:48 UTC] danm at prime dot gushi dot org
Description:
------------
Safe mode is useless in a shared hosting environment.  A good 50 percent of the scripts that are available for users that are written to take advantage of the power and flexibility of php say right off the bat "this doesn't work if you're running under safe mode".

The documentation insists that it's not php's job to handle security, but safe_mode attempts to do it, because all php scripts run as the apache user.  What this results in, is any file created by php is unable to be altered or deleted by the regular user via shell/ftp.

What needs to happen, realistically, is that all the functions that normally have their behavior changed by safe_mode to do UID/GID checks, should use a suexec-like "wrapper" application (which does the same sorts of checks that suexec does on caller, uid, etc)  
that will open the filehandle for them with their UID.  Rather than PHP having to check the permissions like safe mode does, the job would be given back to the OS where it belongs.

This way, you still get the benefit of fast startup, because PHP remains a module (and the wrapper application is small enough to load fast).
      
Of course, this has its dangerous side too, so it would be the type of thing that would be off-by default unless the user had passed all the necessary options to ./configure, like suexec.

Does this represent a monumental amount of new code?  Yes.  However, the place for it is in PHP's core.  This is a great idea if officially sanctioned, and an absolutely TERRIBLE idea if written by a third party.   Due to the tight nature of integration necessary, this MUST come from "inside".


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-05-14 12:37 UTC] wez@php.net
You're welcome to write a patch that does all this.
If it works better than safe_mode, and doesn't make things slower for people that don't need it, then there is a chance it will be accepted.
 [2004-05-22 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 22:01:27 2024 UTC