|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #25572 safe_mode ignores uid of files written
Submitted: 2003-09-17 09:28 UTC Modified: 2014-04-17 14:21 UTC
From: Andreas dot Ley at rz dot uni-karlsruhe dot de Assigned:
Status: Wont fix Package: Safe Mode/open_basedir
PHP Version: 4.3.3 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: Andreas dot Ley at rz dot uni-karlsruhe dot de
New email:
PHP Version: OS:


 [2003-09-17 09:28 UTC] Andreas dot Ley at rz dot uni-karlsruhe dot de
When using PHP as an apache module and safe_mode is on, PHP checks wether the owner of the script and the owner of the directory where a file should be written match. However, this owner and the uid of the apache process which runs the PHP script may be different (multi-user system with one apache but may user homepages). Thus a user may be able to create files which are owned by the apache user - this is a problem when quotas are enabled to restrict user diskspace usage.

A solution to this issue would be to also check the uid of the apache process against the owner of the directory. A possible implementation is this patch:
This changes PHPs behaviour in a way which may or may not be desirable at different sites, so this should be configurable either in configure or in php.ini.

This differs from bug #18407, since I don't want to read apache owned files but need to prevent them created (which circumvents quotas). As gtg782a suggested in the notes at, another solution would be to (safe and secure) change the owner of the files written; this seems much more complicated to me.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-04-17 14:21 UTC]
-Status: Open +Status: Wont fix -Package: Feature/Change Request +Package: *General Issues
 [2014-04-17 14:21 UTC]
This won't be fixed. Safe mode was deprecated in PHP 5.3 and removed in PHP 5.4/
 [2014-04-17 14:21 UTC]
-Package: *General Issues +Package: Safe Mode/open_basedir
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Tue Sep 27 05:05:53 2022 UTC