php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #34050 safe_mode_include_dir isn't honored
Submitted: 2005-08-09 16:56 UTC Modified: 2005-08-31 01:00 UTC
Votes:4
Avg. Score:5.0 ± 0.0
Reproduced:4 of 4 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (25.0%)
From: wolfram at schlich dot org Assigned:
Status: No Feedback Package: Safe Mode/open_basedir
PHP Version: 5CVS-2005-08-09 (dev) OS: Linux 2.6.12-gentoo-r4 x86_64
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: wolfram at schlich dot org
New email:
PHP Version: OS:

 

 [2005-08-09 16:56 UTC] wolfram at schlich dot org
Description:
------------
when safe_mode is active, I want to be able to include files from certain directories without checking for their UID/GID.

Reproduce code:
---------------
--8<--[ php.ini ]--8<--
safe_mode = On
safe_mode_gid = Off
safe_mode_include_dir = "/usr/share/php/:/usr/lib/php/"
safe_mode_allowed_env_vars = PHP_,LANG,LC_
--8<--[ apache vhost config ]--8<--
php_value include_path ".:/usr/share/php:/usr/lib/php"
--8<--[ sample php script ]--8<--
require_once('/usr/lib/php/Smarty/Smarty.class.php');
--8<--

Expected result:
----------------
included file, no error message.

Actual result:
--------------
Warning: main() [function.main]: SAFE MODE Restriction in effect. The script whose uid is 667 is not allowed to access /usr/lib/php/Smarty/Smarty.class.php owned by uid 0 in /home/wschlich/public_html/smartytest/smartytest.php on line 19

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-09 18:09 UTC] sniper@php.net
; By default, Safe Mode does a UID compare check when
; opening files. If you want to relax this to a GID compare,
; then turn on safe_mode_gid.

 [2005-08-09 18:16 UTC] wolfram at schlich dot org
then the comment above safe_mode_include_dir is silly:

; When safe_mode is on, UID/GID checks are bypassed when
; including files from this directory and its subdirectories.
; (directory must also be in include_path or full path must
; be used when including)

it says "UID/GID checks are bypassed", so why should I enable safe_mod_gid then?

I even tried that, result:
--8<--
Warning: main() [function.main]: SAFE MODE Restriction in effect. The script whose uid/gid is 667/888 is not allowed to access /usr/lib/php/Smarty/Smarty.class.php owned by uid/gid 0/0 in /home/wschlich/public_html/smartytest/class.MySmarty.inc.php on line 27
--8<--
 [2005-08-12 00:30 UTC] tony2001@php.net
Can't reproduce.
Make sure that /usr/lib/php/Smarty (or any of it's parent dirs) is not a symbolic link. 
 [2005-08-12 01:09 UTC] wolfram at schlich dot org
no symlink...
 [2005-08-23 02:44 UTC] sniper@php.net
I can't reproduce this either. Try this on command line:

# php -r 'include("/usr/lib/php/Smarty/Smarty.class.php");'

Also, make sure that PHP really is loading the right php.ini file!! (e.g. if you happen to have one in / that one will be loaded instead)

 [2005-08-31 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 04 18:01:31 2024 UTC