php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #8963 using shared PHP libraries in safe_mode
Submitted: 2001-01-28 05:36 UTC Modified: 2006-10-27 00:49 UTC
From: js at lsc dot hu Assigned:
Status: Not a bug Package: Feature/Change Request
PHP Version: 4.0.4pl1 OS: Linux Red Hat 7.0 / i386
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: js at lsc dot hu
New email:
PHP Version: OS:

 

 [2001-01-28 05:36 UTC] js at lsc dot hu
When I set

include_path = ".:/usr/share/php"

to access shared libraries and

safe_mode = On

is set, users cannot use files in /usr/share/php, just because there're userid check in main/fopen_wrappers.c. It means in safe mode you can include files with the same owner userid only, as the controlling file (eg. which contains that include or require).

My opinion: checks, mandatory blockings and security enhancements should be distinguished via a new entry in php.ini.

Excerpt of my previous mail:

Check/block summary

env.var block:
  - AUTHORIZATION (only in apache SAPI)
function block:
  - dl
  - set_time_limit
function restrictions:
  - safe_mode_allowed_env_vars
  - safe_mode_protected_env_vars
privileges
  - sanity checks
    mkdir, rmdir, rename, unlink, copy, chkgrp, chown, chmod, touch,
    symlink, link, mkfifo, pg_loimport, filepro, filepro_rowcount,
    filepro_retrieve, dbase_open, dbase_create, dbmopen
  - special access permissions block
    chmod
  - userid checks
    fopen

Conclusion

Some things are must-have in safe_mode, but I would put an own flag for each type (well, the privilege sanity checks don't do any bad, so this type doesn't need another flag).

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-01-28 18:07 UTC] sniper@php.net
safe_mode has to be rewritten anyway..reclassified as feature/change request.

--Jani
 [2006-10-27 00:49 UTC] rasmus@php.net
Safe mode is gone now, so this doesn't apply anymore.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC