PHP :: Request #26026 :: Add exec_dir directive (same as safe_mode_exec

Add exec_dir directive (same as safe_mode_exec_dir but without safe-mode)

Submitted:

2003-10-29 05:23 UTC

Modified:

2017-01-08 06:01 UTC

Votes:	8
Avg. Score:	4.5 ± 0.7
Reproduced:	6 of 7 (85.7%)
Same Version:	4 (66.7%)
Same OS:	4 (66.7%)

From:

roman at compic dot ee

Assigned:

krakjoe (profile)

Status:

Closed

Package:

Program Execution

PHP Version:

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	roman at compic dot ee
New email:
PHP Version:		OS:

New Comment:

[2003-10-29 05:23 UTC] roman at compic dot ee

Description:
------------
By bow we have safe_mode_exec_dir
working (and good) for shared hosting, only if SAFE_MODE enabled.

But often, SAFE_MODE need to be turned off. After this
safe_mode_exec_dir is nothing. So we need to disable some funtions (system,passthru,...). But it can be done only for _ALL_ hosts. So if one host use "system()" in "safe_mode 1" to one or two special programs and happy - i can't turn SAFE_MODE 0 for other hosts. It's became realy danger - sometimes users have unsecure scripts and by using 'blah.php?f=http://somethere...' intruder can get nobody shell. Nobody shell mean - He can read mysql password in config.php or settings.php files. He also can install blindshell.

So maybe good to add 'exec_dir' variable for working in 'safe_mode 0' ?


Reproduce code:
---------------
none needed

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-09-23 13:49 UTC] derbubi at gmx dot net

A Patch for this problem is available here:
http://kyberdigi.cz/projects/execdir/english.html

This Option would be very nice, even if it decreases performance (if this decrease is optional)

[2011-01-01 23:28 UTC] jani@php.net

-Summary: Advanced parametr, exec_dir for non SAFE_MODE +Summary: Add exec_dir directive (same as safe_mode_exec_dir but without safe-mode) -Package: Feature/Change Request +Package: Program Execution -Operating System: *nix +Operating System: * -PHP Version: 4.3.3 +PHP Version: *

[2012-04-20 12:53 UTC] php at cabillot dot eu

To the php team : what do you think about this feature ?

Now that safe_mode is disabled, how hosting companies can protect consumers from 
themselves ?

[2013-03-19 19:48 UTC] valentiny510 at yahoo dot es

After 10 years, with removed safe_mode, guys please just close many of old Bugs/Requests like this or simple add a new status like DEPRECATED.. or change something.. 10 Years.. cmon 

- - -

I remember a man who made an appointment with the doctor and 6-7 years after his death his widow received a letter saying that they canceled the appointment.

[2014-01-22 17:04 UTC] jcabillot at gmail dot com

Hi,

Can the PHP Team explain why this bug is still open and not included ?

Julien

[2017-01-08 06:01 UTC] krakjoe@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: krakjoe

[2017-01-08 06:01 UTC] krakjoe@php.net

We have moved away from this kind of magical configuration setting because it has proven inadequate.

I'm closing this bug.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 15:01:29 2024 UTC