PHP :: Request #28394 :: Enhancements to safe_mode that will actually make people want to use it.

Request #28394	Enhancements to safe_mode that will actually make people want to use it.
Submitted:	2004-05-14 11:48 UTC	Modified:	2004-05-22 01:00 UTC
From:	danm at prime dot gushi dot org	Assigned:
Status:	No Feedback	Package:	Feature/Change Request
PHP Version:	4.3.6	OS:	Any
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	danm at prime dot gushi dot org
New email:
PHP Version:		OS:

New Comment:

[2004-05-14 11:48 UTC] danm at prime dot gushi dot org

Description:
------------
Safe mode is useless in a shared hosting environment. A good 50 percent of the scripts that are available for users that are written to take advantage of the power and flexibility of php say right off the bat "this doesn't work if you're running under safe mode".

The documentation insists that it's not php's job to handle security, but safe_mode attempts to do it, because all php scripts run as the apache user. What this results in, is any file created by php is unable to be altered or deleted by the regular user via shell/ftp.

What needs to happen, realistically, is that all the functions that normally have their behavior changed by safe_mode to do UID/GID checks, should use a suexec-like "wrapper" application (which does the same sorts of checks that suexec does on caller, uid, etc)
that will open the filehandle for them with their UID. Rather than PHP having to check the permissions like safe mode does, the job would be given back to the OS where it belongs.

This way, you still get the benefit of fast startup, because PHP remains a module (and the wrapper application is small enough to load fast).

Of course, this has its dangerous side too, so it would be the type of thing that would be off-by default unless the user had passed all the necessary options to ./configure, like suexec.

Does this represent a monumental amount of new code? Yes. However, the place for it is in PHP's core. This is a great idea if officially sanctioned, and an absolutely TERRIBLE idea if written by a third party. Due to the tight nature of integration necessary, this MUST come from "inside".

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-05-14 12:37 UTC] wez@php.net

You're welcome to write a patch that does all this.
If it works better than safe_mode, and doesn't make things slower for people that don't need it, then there is a chance it will be accepted.

[2004-05-22 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Nov 06 18:00:01 2025 UTC