PHP :: Bug #14448 :: exec()-like calls are done with webserver uid

Bug #14448	exec()-like calls are done with webserver uid
Submitted:	2001-12-12 06:17 UTC	Modified:	2001-12-12 08:26 UTC
From:	veins at skreel dot org	Assigned:
Status:	Not a bug	Package:	Unknown/Other Function
PHP Version:	4.1.0	OS:	Unix
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	veins at skreel dot org
New email:
PHP Version:		OS:

New Comment:

[2001-12-12 06:17 UTC] veins at skreel dot org

When safe_mode is enabled, exec()-like calls are still done with the webserver uid, letting users execute any server scripts owned by 'www' (for example).

In the case that php_safe_dir = /usr/local/phpexec:

# chmod 700 /usr/local/phpexec
# chown www.www /usr/local/phpexec

inside i put the following sh script:

#!/bin/sh
#
echo `id`

Now i log in as user 'veins', make a php script with the following:

<? exec("/usr/local/phpexec/id.sh", $value, $return);
   echo $value[0]; ?>

when i go to  ~veins/id.php  i get the following:

uid=67(www) gid=67(www) groups=67(www)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-12-12 06:43 UTC] sander@php.net

Not a bug. Expected behaviour. RTM.
Safemode != suEXEC or something like that.

[2001-12-12 08:26 UTC] hholzgra@php.net

it is (AFAIK) not even possible to change the
UID for anyone but 'root'?

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed May 07 06:01:29 2025 UTC