php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #17858 Apache 2 and PHP 4 breaks safe_mode
Submitted: 2002-06-20 00:04 UTC Modified: 2002-09-26 12:09 UTC
Votes:10
Avg. Score:5.0 ± 0.0
Reproduced:10 of 10 (100.0%)
Same Version:9 (90.0%)
Same OS:7 (70.0%)
From: moron at industrial dot org Assigned:
Status: Closed Package: Apache2 related
PHP Version: 4.3.0-dev OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: moron at industrial dot org
New email:
PHP Version: OS:

 

 [2002-06-20 00:04 UTC] moron at industrial dot org
There is a problem with PHP 4 and Apache 2.0 relating to checking of the UID and GID of scripts under safe_mode. The net result is that under safe_mode, all scripts fail.  

Here is an example error:

SAFE MODE Restriction in effect. The script whose uid is -1 is not allowed to access /home/httpd/html/test.php owned by uid 0 in Unknown on line 0

Note that this is not for an include but the script itself.  Also note the bogus UID.

Here is a detailed description from another fellow I came across when researching this via Google which quite eloquently explains the problem:

From: Victor Fernandes (Victor.Fernandes@comnet.be)
Subject: Re: [PHP-INST] PHP 4.x and Apache 2.x 
Newsgroups: php.install
Date: 2002-06-18 04:19:11 PST 
 
Just for the records and to give some hope ;-)

I found where the problem is and patched the sources to fix the problem for me.

I will not suggest or recommend my solution (patch) because this should be solved when PHP 4 will be fully supported with Apache 2.x. Yes I had this error certainly due to this combination (Apache 2.0.36 and PHP 4.2.1, Solaris 8, etc...)

On file "./sapi/apache2filter/apache_config.c" changed the string "OR_NONE" on line 131, to "ACCESS_CONF|RSRC_CONF". Based on line 866 of file: "./sapi/apache/mod_php4.c"

After that I was presented with a new nice error:

Warning: SAFE MODE Restriction in effect. The script whose uid/gid is -1/-1 is not allowed..."

For any file I was trying to access. This again is certainly due to the fact that this is experimental code for Apache 2.x. I found where the problem is and patched the sources too.

For the curious and in case this is not yet known, the problem originates on the "./main/safe_mode.c" file, because the php_getuid() and php_getgid() functions always return -1. In fact the problem comes, even more deeply, from the php_statpage() or sapi_get_stat(). I decided not 
to go further and patched the php_getuid() and php_getgid() directly (on file "./ext/standard/pageinfo.c"). I've done this by checking the value that is supposed to be returned and if it is -1 go another way and get the correct executing script uid/gid.

Victor Fernandes


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-06-20 00:09 UTC] sniper@php.net
AFAIK this is already fixed in CVS. Try this snapshot:

http://snaps.php.net/php4-latest.tar.gz


 [2002-06-20 01:18 UTC] moron at industrial dot org
Actually, the latest snapshot makes things worse in a way.  To get it to install you need to turn off SAFE_MODE due to something with the PEAR section that creates a chicken and the egg scenario:

make[1]: Entering directory `/usr/local/source/php4-200206192100'
/usr/local/source/php4-200206192100/sapi/cli/php /usr/local/source/php4-200206192100/pear/install-pear.php /usr/local/source/php4-200206192100/pear/package-*.xml

Warning: SAFE MODE Restriction in effect.  The script whose uid is -1 is not allowed to access /usr/local/source/php4-200206192100/pear/PEAR.php owned by uid 100 in /usr/local/source/php4-200206192100/pear/install-pear.php on line 6

After turning off safe_mode and open_basedir temporarily, I managed to complete an install but then got a new error along with the old ones:

SAFE MODE Restriction in effect. The script whose uid is -1 is not allowed to access /home/httpd/html/test.php owned by uid 0 in Unknown on line 0

Warning: (null)("/home/httpd/html/test.php") - Resource temporarily unavailable in Unknown on line 0

Warning: Failed opening '/home/httpd/html/test.php' for inclusion (include_path='.:/usr/local/lib/php') in Unknown on line 0

So this does appear to still be FUBAR in the current distribution.  The "Resource temporarily unavailable" is a new error just so you know.

Cheers
 [2002-06-28 03:56 UTC] sniper@php.net
forgot to update version.

 [2002-07-09 10:53 UTC] roel at oms-net dot nl
Got newest version today (http://snaps.php.net/php4-latest.tar.gz) DD: 20020809 @ approx. 15.00 CET. 

Using this version I still have the same problem.
 [2002-07-18 23:09 UTC] slamb at slamb dot org
sniper, if this was fixed, I think it has regressed. I have the same problem with CVS pulled like 30 minutes ago.

Victor, could you post a context diff of what you did? I took a quick look at the file/lines you mentioned, but I think those line numbers are no longer correct.
 [2002-07-18 23:54 UTC] slamb at slamb dot org
I've got a patch now that "fixes" this. <http://www.slamb.org/php-apache2-safemode.patch>

It makes a stat(2) system call that isn't strictly necessary - rec->finfo has this information, but not in the struct stat form.

It will probably put a lot of stuff in your error log if you try serve things that aren't files, which Apache2 is capable of. (I.e., coming from a Subversion repository.)
 [2002-08-17 14:58 UTC] mira-junk at cekit dot cz
This issue has been already reported as bug #17466. Still unresolved in today's snapshot using apache 2.0.39 or 2.0.40.
 [2002-08-17 15:16 UTC] mira-junk at cekit dot cz
Patch from http://www.slamb.org/php-apache2-safemode.patch mentioned above solves this problem ... and works with apache 2.0.40. Thanks
 [2002-09-16 10:31 UTC] derick@php.net
Duplicate of #17466
 [2002-09-26 12:09 UTC] sniper@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Nov 30 15:03:37 2021 UTC