php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #17466 Safe mode uid -1 bug
Submitted: 2002-05-27 20:45 UTC Modified: 2002-09-23 13:56 UTC
Votes:8
Avg. Score:4.9 ± 0.3
Reproduced:8 of 8 (100.0%)
Same Version:4 (50.0%)
Same OS:5 (62.5%)
From: cjones at dualboot dot net Assigned:
Status: Closed Package: Apache2 related
PHP Version: 4.2.1 OS: Linux 2.4.7-10
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2002-05-27 20:45 UTC] cjones at dualboot dot net 
When safe mode is on php is unable to determine the uid of the running script, it reports it as -1.  As you might imagine, this completely breaks the utility of safe mode with respect to file access.  Also, the same bug occurs when using safe_mode_gid (it reports the gid as -1 as well).  Note that it does get the appropriate uid/gid for the file that is attempted to be accessed.

I am running Apache 2.0.36 and the newest version of PHP (4.2.1).


I did some poking around and I think I found out what's going on.  In ext/standard/pageinfo.c, php_statpage() tries to determine and stat the running script file like so:

--------------------------------------------
       pstat = sapi_get_stat(TSRMLS_C);
   
        if (BG(page_uid)==-1 || BG(page_gid)==-1) {
                if(pstat) {
                        BG(page_uid)   = pstat->st_uid;
                        BG(page_gid)   = pstat->st_gid;
                        BG(page_inode) = pstat->st_ino;
                        BG(page_mtime) = pstat->st_mtime;
                }
        }
--------------------------------------------

pstat is not properly set by sapi_get_stat() (from main/SAPI.c) so the page_uid et al values are not changed, and retain their defaults (-1).


I looked around a bit to see if I could make a workaround by stating the script file without using sapi_get_stat but I couldn't figure out what variable contained the script filename.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-05-27 20:53 UTC] cjones at dualboot dot net 
Little bit of extra info (which may or may not be helpful), OS version:
Linux version 2.4.7-10smp (bhcompile@stripples.devel.redhat.com) (gcc version 2.96 20000731 (Red Hat Linux 7.1 2.96-98)) #1 SMP Thu 
Sep 6 17:09:31 EDT 2001

Apache config commands:
./configure --prefix=/usr/local/apache --enable-so --enable-rewrite=shared --enable-ssl=shared --enable-suxec=shared

PHP config commands:
./configure --with-mysql=/usr/local/mysql --with-apxs2=/usr/local/apache/bin/apxs
 [2002-05-28 01:15 UTC] cjones at dualboot dot net 
Update.

I installed the CVS release (4.3.0-dev) and the problem still exists there.  I switched over to the CGI/commandline install of PHP (4.2.1) and it works correctly (i.e. when safe_mode is on it gets the correct uid of the file owner).
 [2002-05-28 02:24 UTC] derick@php.net 
reclassify as an apache 2 issue
 [2002-06-20 03:07 UTC] brian at brian-web dot com 
I hit the same problem too with apache 2.0.36/php 4.2.1. I figured out where the problem was and fixed it. The apache2filter sapi module wasn't implementing a get_stat function. You can grab the patch from:

http://www.brian-web.com/misc/apache2-php-safemode.patch

I'm not too familiar with the Apache2 or PHP source, so someone else should probably take a look at it. Basically, it takes the apr_finfo_t struct from apache and converts it back to a struct stat for php.
 [2002-06-20 15:14 UTC] brian at brian-web dot com 
That patch I just posted is broken with Apache 2.0.39, apparently the finfo struct isn't filled in 2.0.39 at the point that I was accessing it. (Its all 0s). If you move the call to php_apr_finfo2stat to php_apache_get_stat it works, but then its runs everytime php_apache_get_stat is called, which I was trying to avoid.
 [2002-08-23 16:40 UTC] shollatz at d dot umn dot edu 
While this may have been assigned as an Apache 2.x problem,
I observe safe_mode_gid not working for most GIDs, works
for a few, regardless whether the user's GID set includes
it.

The environment is Apache 1.3.26 with PHP 4.2.2 as a module,
under Solaris 2.8.
 [2002-08-29 15:09 UTC] slamb at slamb dot org 
See <http://bugs.php.net/bug.php?id=17858> - patch available at <http://www.slamb.org/php-apache2-safemode.patch>.
 [2002-09-16 10:30 UTC] derick@php.net 
Must be fixed before 4.3.0
 [2002-09-23 13:56 UTC] iliaa@php.net 
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.
 [2002-12-17 04:38 UTC] romio at aduva dot com 
I have the same problem with safe mode "uid -1" in apache 1.3.27 php 4.2.3 on Redhat 7.1
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 23 11:01:33 2024 UTC