php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #33752 safe_mode UID checks modification
Submitted: 2005-07-18 17:44 UTC Modified: 2016-08-06 02:40 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: mordae at mordae dot net Assigned:
Status: Wont fix Package: *General Issues
PHP Version: 4.3.11 OS: all POSIX
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2005-07-18 17:44 UTC] mordae at mordae dot net 
Description:
------------
For the first, we all know what PHP does in (un)safe_mode. There has to be some solution of this problem. You have disagreed with all previous, so what about this one:

Add php.ini directive, that will make PHP check UID of all parent directories of accessed file in addition of file's and if any of parent directories are owned by correct user, allow access.
To improve security, you could also check if all directories "above" are owned by the user, who runs PHP.

See Titov's patch at http://titov.net/safemodepatch/

Thank you
Mordae

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-07-18 19:36 UTC] tony2001@php.net 
>For the first, we all know what PHP does in (un)safe_mode.
So tell us, if you know.

>There has to be some solution of this problem.
What problem?

>You have disagreed with all previous
What are you talking about?
 [2005-07-18 20:24 UTC] mordae at mordae dot net 
For the first, we all know what PHP does in so-called safe_mode.
When using PHP as web server module and create directory or file, it is owned by user running web server, so we have to keep eyes on it's mode. Usually 0757 (0646) is needed. If we use safe_mode, we end up with unaccessible files, because UIDs doesn't match.
There has to be some solution of this problem in PHP. I have seen many other, but none seems to be used.
What about this one:

Add php.ini directive, that will make PHP check UID of all parent directories of accessed file and if any of parent
directory is owned by scripts owner, allow access.
To improve security, you could also check if all sub-directories are owned by the user, who runs PHP (server) or - again - script owner.

See Titov's patch at http://titov.net/safemodepatch/
he probably did it. The problem is, that it's not official and no webhosting is using it.

Thank you
Mordae

And I do apologize.
 [2005-10-19 17:21 UTC] anton at titov dot net 
I can do this /I mean to add setting for this/ if you point me if there is somewhere coding rules for writing for PHP. And if you tell me how to submit it when I'm done.

You will need somebody to understand the idea and to document it as my English is probably not good enough for it.

Anton Titov
Host.bg
 [2016-08-06 02:40 UTC] kalle@php.net
-Status: Open +Status: Wont fix -Package: Feature/Change Request +Package: *General Issues
 [2016-08-06 02:40 UTC] kalle@php.net 
I'm gonna mark this as Wfx as safe_mode was removed back in 5.4
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Apr 24 23:01:34 2024 UTC