|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #16042 mkdir no longer works correcrly (wrong UID)
Submitted: 2002-03-13 09:26 UTC Modified: 2002-03-13 10:23 UTC
From: happycloud at undream dot com Assigned: jflemer (profile)
Status: Not a bug Package: *Directory/Filesystem functions
PHP Version: 4.1.2 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: happycloud at undream dot com
New email:
PHP Version: OS:


 [2002-03-13 09:26 UTC] happycloud at undream dot com
Linux 2.2.19/apache 1.3.23/ Safe mode on, latest security 

The following simple scripts no longer work:

mkdir('/var/www/web/test/testfolder' , 0777);
mkdir('/var/www/web/test/testfolder/another', 0777);
It generates: SAFE MODE Restriction in effect. ?The script 
whose uid is 48561 is not allowed to
?access /var/www/web/test/testfolder owned by uid 98 in ..


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-03-13 09:49 UTC]
The bug system is not the appropriate forum for asking support
questions. For a list of a range of more appropriate places to ask
for help using PHP, please visit
 [2002-03-13 09:57 UTC] happycloud at undream dot com
This is NOT a support question! 
We have lost 37 websites in the last few days due to a BUG 
in the security update. Come on people! I provided a 
sample script not because I need help, but because I 
thought you did. We are hacking into the php core now to 
get it running again as we are a hosting service and ALL 
AND EVERY WEBSITE USING PHP's mkdir function do not work 
because of a problem (READ BUG) with the uid setup.
 [2002-03-13 10:02 UTC]
Which working version were you using prior ?
 [2002-03-13 10:05 UTC]
Is it creating the first directory "testfolder", or does it fail on the first mkdir()?
 [2002-03-13 10:23 UTC]
The second mkdir() will fail with a safe_mode restriction as it should.  This is not a bug.  Files or directories created by PHP when PHP is running as an Apache module will be owned by the Apache user id.  There is simply no way around that given the current state of Apache.  And the safe-mode restriction correctly restricts you from creating a directory inside a directory not owned by the same uid as the script.  The fact that it worked before was a security problem which was fixed.

If you want to be able to do something like this, you should consider using the open_basedir restriction mechanism where all these checks are done based on the base directory and anything the user does within/beneath that base directory is ok.  

Please read and
 [2002-04-16 12:58 UTC] byg at cf1 dot ru
Actually, this is not a completely bogus claim.
Problem is really in safe_mode.c and inconvenient
limitations of safe_mode (e.g. see BUG 7204).
Mmm, I set safe_mode_include_dir to '/var/www/web'
(so I assume that uid/gid of all scripts in '/var/www/web'
should be taken in account, is it?)
But I've got the same error as here. It's a bug anyway.
Problem was sligthly reduced by safe_mode_gid and
I see the only way:
to have an optional php setting for a group (list of such groups?) which may and can to create/own PHP-scripts though
they could not in the same group as php itself.
Typical usage:
developer teams with default different groups
(project1, project2 and so on) which differ with www/apache user gid. These groups should be explicitly specified in either php.ini or on per-server basis (php_admin_value).

Has it sense?
I'm confused by possible overhead on getgrnam.

Probably it affects files: safe_mode.c, main.c, php_ini.c.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Jul 19 07:01:30 2024 UTC