php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #24604 SAFE_MODE design issues
Submitted: 2003-07-11 08:32 UTC Modified: 2004-08-07 18:40 UTC
Votes:208
Avg. Score:4.8 ± 0.6
Reproduced:184 of 187 (98.4%)
Same Version:90 (48.9%)
Same OS:81 (44.0%)
From: timo dot hummel at 4fb dot de Assigned:
Status: Wont fix Package: Documentation problem
PHP Version: Irrelevant OS: SuSE Linux 8.2 Linux 2.4.19
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2003-07-11 08:32 UTC] timo dot hummel at 4fb dot de
Description:
------------
Hello bug processors,

please read the following bug report carefully, as it makes file and directory operations completely useless. At the end of this report, you find recommendations about what we should do.

Take a breath, it's quite a bunch of stuff to read and understand. Remember that the following is only an example, but which could be applied to almost every system running PHP with SAFE_MODE and where scripts need to perform file and directory operations.

As you might all know, providers tend to host multiple domains on a single machine. In the example, Apache runs as the system user "wwwrun", and we have a client user which has the system user "client". We have the following script:

<?php
mkdir("test");
?>

in the htdocs directory of the webserver:

-rw-r--r-- 1 client users 24 test.php

given the fact that the directory where test.php resides is owned by "client", test.php was called via the web and SAFE_MODE is on, the following happens:

- the directory "test" will be created
- the directory "test" has the owner "wwwrun"
- any further operations with the directory "test" will fail since SAFE_MODE is on and don't allow any operations on files and/or directories not owned by the owner of the script

This introduces another problem:

move_uploaded_file will fail in the above scenario. The htdocs directory of "client" is writable and owned by "client". If now a file is uploaded, it is stored in the PHP_TEMP_DIR specified in the php.ini with the user "wwwrun", thus making "move_uploaded_file" fail if it should be moved to the htdocs-directory of "client".

The big problem with the SAFE_MODE of PHP is maybe a communications problem, but I try to propose a few solutions:

1.) Modify the SAFE_MODE concept to become consistent. I.e. if a directory is created with a script owned by "client", the new directory should also belong to "client" instead of wwwrun, or SAFE_MODE shouldn't check the owner of the script, but rather the executor of the script.

2.) Modify the documentation of SAFE_MODE and all related file/directory functions that for the proper operation of file and directory functions, the owner and executor have to be the same user.

3.) Modify the documentation of SAFE_MODE and all related file/directory functions that for the proper operation of file and directory functions in a multi-user/single-executor scenario, safe_mode_gid should be set, including the correct group rights.

The above problems are one reason why most PHP content management systems recommend to turn SAFE_MODE off in order to make file uploads working.

The issue was tested with many PHP-Versions on many different systems (altough I haven't tried PHP 5.0 yet), but I'm looking forward to see the issue resolved in any way in the future.

best regards,
 Timo



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-11-03 12:55 UTC] roman at compic dot ee
Use cgi-php.
And no such problems at all.

1.) Modify the SAFE_MODE concept to become consistent.
They _NEVER_ do this. Because to change user, process must be owned by root. It's mean no security.

2.) Modify the documentation of SAFE_MODE and all related file/directory
functions that for the proper operation of file and directory functions,
the owner and executor have to be the same user.

My opinion - not needed. Just read aboud mod_php. It's always run as apache user.

The above problems are one reason why most PHP content management systems recommend to turn SAFE_MODE off in order to make file uploads working.

File_uploads can working with 'chuid' script, for example.
Just turn safe_mode OFF and disable system, popen, exec... functions
 [2003-11-06 12:22 UTC] timo dot hummel at 4fb dot de
>Use cgi-php.
>And no such problems at all.

Tell that 99% of all internet hosters. They just won't do it - for certain reasons. And there will be problems - just read my bug report again why this is not revelant to cgi-php.

>They _NEVER_ do this. Because to change user,
>process must be owned by
>root. It's mean no security.

Not necessarly. I suggested to change the safe mode logic, not the creator to create directories.

>My opinion - not needed. Just read aboud mod_php.
>It's always run as apache user.

Yes, but again: Read my bug report carefully. Try it out yourself. If you know about how unix and linux systems are setup, you'll quickly discover why it fails. Also remember: Most providers provide PHP, but only uploads via FTP. Thus, the user id's with which people upload files don't match the user id of the webserver in most cases.

>File_uploads can working with 'chuid' script, for example.

Most providers also don't do this. What you are recommending here are workarounds, but not solutions.

>Just turn safe_mode OFF and disable system, popen, >exec... functions

Again, Providers turn on SAFE_MODE because they think they make PHP secure - but in fact, they are disabling file operations via the web and 3rd party software (i.e. all scripts you can get on the web) pretty useless.

Or to use plain words:

"Heck, I can create a directory but I cannot write to it afterwards?"
 [2003-11-11 23:36 UTC] ndhuyvu at yahoo dot com
drwxrwxrwx    2 32533    bcdt         4096 Oct 23 20:48 10
drwxrwxrwx    2 99       99           4096 Nov 11 22:25 19
drwxrwxrwx    2 99       99           4096 Nov 11 22:32 20
drwxrwxrwx    2 32533    bcdt         4096 Oct 23 20:47 4
drwxrwxrwx    2 32533    bcdt         4096 Nov  5 23:07 5
drwxrwxrwx    2 32533    bcdt         4096 Oct 23 20:47 6
drwxrwxrwx    2 32533    bcdt         4096 Oct 23 20:47 9

FTP LOGIN -> Create Dir -> is OK
drwxrwxrwx    2 32533    bcdt         4096 Oct 23 20:47 9

But :-( 
When create Dir in php code
mkdir($datapath.$ID,0777);

or
chmod($datapath.$ID,0777);
mkdir($datapath.$ID,0777);

result:
drwxrwxrwx    2 99       99           4096 Nov 11 22:32 20
 [2003-12-28 06:32 UTC] s9608273 at student dot utwente dot nl
Dir 20031228122842 made with function mkdir() (uid/gid : 101:100)

This is the effect when moving uploaded file to this dir.

Warning: move_uploaded_file(): SAFE MODE Restriction in effect. The script whose uid/gid is 507/507 is not allowed to access /home/..../uploadedFiles/20031228122842 owned by uid/gid 101/100 in ...

Maybe all file operations can be performed as the user which owns the script.
 [2004-01-21 05:52 UTC] thorsten at rinne dot info
Hi,

using PHP as CGI with suPHP (www.suphp.org) there are no problems:

-rw-r--r--    1 thorsten  users          195 Jan 20 22:01 test.php

Then running test.php...

Result:

drwxr-xr-x    2 thorsten  users         4096 Jan 20 22:03 test
-rw-r--r--    1 thorsten  users          195 Jan 20 22:01 test.php

It would be nice if this would work with mod_php!

bye
Thorsten
 [2004-01-29 18:26 UTC] rlammers at angelfire dot com
The simplest way to let users do anything on my website is by creating a subdir for them to separate their actions from others. 

Now my webhost has turned safe_mode on and the only work-around is to let the ftp-pasword lying around in a script file. Nice security that is!.

Please fix this (imho major) bug. It makes no sense to let users create a dir and not let them write to it.
 [2004-03-01 02:24 UTC] soenke at regelt dot com
safe_mode_gid should be a workaround for this.

@Developers: Please let us know your plans about this issue.

--

Soenke
 [2004-03-01 02:31 UTC] timo dot hummel at 4fb dot de
>It makes no sense to let users create
> a dir and not let them write to it.

Well, that's another thing. It's probably about the umask, however, most providers and/or distribution builders should take care of this, but aren't.
 [2004-05-31 09:37 UTC] real763 at uni dot de
uhm thats not great

ftp doenst work , and CGI is not running, too :(

Warning: ftp_connect() [function.ftp-connect]: php_network_getaddresses: getaddrinfo failed: Name or service not known in /home/www/htdocs/myhost.com/bla.php on line 382

@develop: plz upgrade SAFE_MODE : - )
 [2004-07-16 15:12 UTC] bramspam at pandora dot be
This is a pretty old bug, so has this been fixed yet? My webhost is running a pretty darned old PHP version, but I don't see the point in bugging them to upgrade of this bug isn't fixed yet ..
 [2004-08-07 17:27 UTC] vrana@php.net
Behavior of move_uploaded_file() with safe_mode is already described.

Functions affected by safe_mode have already a note about safe_mode.

safe_mode_gid is also already documented: "However, there may be environments where a strict UID check is not appropriate and a relaxed GID check is sufficient. This is supported by means of the safe_mode_gid switch. Setting it to On performs the relaxed GID checking, setting it to Off (the default) performs UID checking."

I suppose that the behavior of safe_mode is not going to change according proposal 1.
 [2004-09-25 01:50 UTC] anton dot php at titov dot net
http://www.titov.net/safemodepatch/ - this patch should allow you to write to directories, created by PHP.
 [2004-10-15 10:28 UTC] paulo dot matos at fct dot unl dot pt
A workaround/solution to this problem on *nix

Assuming that httpd server runs as apache/apache (uid/gid), and php script is user/group. 

1) php.ini
safe_mode = On
safe_mode_gid = On

2) Create initial data directory, on install phase as:

mkdir /path/to/datadir
chown user.group /path/to/datadir
chmod 2777 /path/to/datadir

3) Create all subdirectories (within php), like:
mkdir(/path/to/datadir/subdir, 02777);

This way all subdirectry will inherit group from initial parent dir and SAFE_MODE won't complain, since all subdirs
and files will be apache.group.

IMPORTANT NOTE: After any subdirectory creation you shouldn't change directory permissions, otherwise it will loose
the GID bit and all files/subdirectories created afterwards won't have group inherited!
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 08:01:28 2019 UTC