php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #29126 safe_mode UID/GID checking works in other way than described
Submitted: 2004-07-14 00:01 UTC Modified: 2004-09-18 21:50 UTC
Votes:3
Avg. Score:4.3 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: andrey at ruweb dot net Assigned:
Status: Closed Package: Documentation problem
PHP Version: 4.3.7 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: andrey at ruweb dot net
New email:
PHP Version: OS:

 

 [2004-07-14 00:01 UTC] andrey at ruweb dot net 
Description:
------------
Documentation said: "When safe_mode is on, PHP checks to see if the owner of the current script matches the owner of the file to be operated on by a file function"

THAT'S NOT TRUE! ;)

It seems PHP only checks to see if the owner of the current script matches the owner of the DIRECTORY where located file to be operated.

So, if we have 2 files

script.php 644 user1:user1
passwd.txt 644 root:root

in directory

public_html/ 750 user1:apache

then script.php still able to readfile('passwd.txt'); without any restrictions.

In most cases it doesn't important. But using option safe_mode_gid in such way becomes almost useless because it can break security in some cases.

All we know that safe_mode+safe_mode_exec_dir is simple and effective way to protect user files from other user's access.
At tht same time all we know that using safe_mode is very inconvinient sometimes. Users can't create files from PHP in directories created by PHP, etc. At the first look safe_mode_gid option is suitable to solve those common safe_mode problems. But in fact it can be completely insecure.

For example, we have a directory

/home/user01/public_html user01:apache 750

The permissions is 750 and uid/gid is user01:apache because it's the right way to restrict access to user's files from other users.

And so, user01 have a file

/home/user01/public_html/config.php user01:user01 644

with some sensitive information.

Also, user02 have file

/home/user02/public_html/upload/script.php apache:apache 644

The uid/gid is 'apache' because that script was uploaded via PHP.

Now user02 is able to run script.php with readfile('/home/user01/public_html/config.php'); inside, and PHP will not restrict reading, just because GID of script.php is matches GID of /home/user01/public_html/ directory. COMPLETELY REGARDLESS of config.php ownership itself.

Why it's going such unexpected way?

Please change that or just make it clear in documentation.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-09-18 21:50 UTC] vrana@php.net 
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

I checked this in the sources and you are right. This is in safe_mode.c: "if (fopen_mode[0] == 'r') { mode = CHECKUID_DISALLOW_FILE_NOT_EXISTS; } else { mode = CHECKUID_CHECK_FILE_AND_DIR; }" thus for most file operations check for file or its directory is performed. I added "... or its directory" to sentence in your quote.

If you don't like current behavior, create a new bugreport with Category Feature Request.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri May 03 01:01:33 2024 UTC