php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #17466 Safe mode uid -1 bug
Submitted: 2002-05-27 20:45 UTC Modified: 2002-09-23 13:56 UTC
Votes:8
Avg. Score:4.9 ± 0.3
Reproduced:8 of 8 (100.0%)
Same Version:4 (50.0%)
Same OS:5 (62.5%)
From: cjones at dualboot dot net Assigned:
Status: Closed Package: Apache2 related
PHP Version: 4.2.1 OS: Linux 2.4.7-10
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: cjones at dualboot dot net
New email:
PHP Version: OS:

 

 [2002-05-27 20:45 UTC] cjones at dualboot dot net
When safe mode is on php is unable to determine the uid of the running script, it reports it as -1.  As you might imagine, this completely breaks the utility of safe mode with respect to file access.  Also, the same bug occurs when using safe_mode_gid (it reports the gid as -1 as well).  Note that it does get the appropriate uid/gid for the file that is attempted to be accessed.

I am running Apache 2.0.36 and the newest version of PHP (4.2.1).


I did some poking around and I think I found out what's going on.  In ext/standard/pageinfo.c, php_statpage() tries to determine and stat the running script file like so:

--------------------------------------------
       pstat = sapi_get_stat(TSRMLS_C);
   
        if (BG(page_uid)==-1 || BG(page_gid)==-1) {
                if(pstat) {
                        BG(page_uid)   = pstat->st_uid;
                        BG(page_gid)   = pstat->st_gid;
                        BG(page_inode) = pstat->st_ino;
                        BG(page_mtime) = pstat->st_mtime;
                }
        }
--------------------------------------------

pstat is not properly set by sapi_get_stat() (from main/SAPI.c) so the page_uid et al values are not changed, and retain their defaults (-1).


I looked around a bit to see if I could make a workaround by stating the script file without using sapi_get_stat but I couldn't figure out what variable contained the script filename.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-05-27 20:53 UTC] cjones at dualboot dot net
Little bit of extra info (which may or may not be helpful), OS version:
Linux version 2.4.7-10smp (bhcompile@stripples.devel.redhat.com) (gcc version 2.96 20000731 (Red Hat Linux 7.1 2.96-98)) #1 SMP Thu 
Sep 6 17:09:31 EDT 2001

Apache config commands:
./configure --prefix=/usr/local/apache --enable-so --enable-rewrite=shared --enable-ssl=shared --enable-suxec=shared

PHP config commands:
./configure --with-mysql=/usr/local/mysql --with-apxs2=/usr/local/apache/bin/apxs
 [2002-05-28 01:15 UTC] cjones at dualboot dot net
Update.

I installed the CVS release (4.3.0-dev) and the problem still exists there.  I switched over to the CGI/commandline install of PHP (4.2.1) and it works correctly (i.e. when safe_mode is on it gets the correct uid of the file owner).
 [2002-05-28 02:24 UTC] derick@php.net
reclassify as an apache 2 issue
 [2002-06-20 03:07 UTC] brian at brian-web dot com
I hit the same problem too with apache 2.0.36/php 4.2.1. I figured out where the problem was and fixed it. The apache2filter sapi module wasn't implementing a get_stat function. You can grab the patch from:

http://www.brian-web.com/misc/apache2-php-safemode.patch

I'm not too familiar with the Apache2 or PHP source, so someone else should probably take a look at it. Basically, it takes the apr_finfo_t struct from apache and converts it back to a struct stat for php.
 [2002-06-20 15:14 UTC] brian at brian-web dot com
That patch I just posted is broken with Apache 2.0.39, apparently the finfo struct isn't filled in 2.0.39 at the point that I was accessing it. (Its all 0s). If you move the call to php_apr_finfo2stat to php_apache_get_stat it works, but then its runs everytime php_apache_get_stat is called, which I was trying to avoid.
 [2002-08-23 16:40 UTC] shollatz at d dot umn dot edu
While this may have been assigned as an Apache 2.x problem,
I observe safe_mode_gid not working for most GIDs, works
for a few, regardless whether the user's GID set includes
it.

The environment is Apache 1.3.26 with PHP 4.2.2 as a module,
under Solaris 2.8.
 [2002-08-29 15:09 UTC] slamb at slamb dot org
See <http://bugs.php.net/bug.php?id=17858> - patch available at <http://www.slamb.org/php-apache2-safemode.patch>.
 [2002-09-16 10:30 UTC] derick@php.net
Must be fixed before 4.3.0
 [2002-09-23 13:56 UTC] iliaa@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 [2002-12-17 04:38 UTC] romio at aduva dot com
I have the same problem with safe mode "uid -1" in apache 1.3.27 php 4.2.3 on Redhat 7.1
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Sep 18 15:03:37 2021 UTC