php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #36467 odd safe_mode restriction and possible security concern
Submitted: 2006-02-20 18:16 UTC Modified: 2006-02-22 18:15 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: mike at silverservers dot com Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: 4.4.2 OS: CentOS 4.2
Private report: No CVE-ID: None
 [2006-02-20 18:16 UTC] mike at silverservers dot com
Description:
------------
I believe this is a bug in safe_mode.  I have posted this to newsgroups but no one would touch it.

Scenario:
safe_mode On
safe_mode_gid = On
safe_mode_include_dir = /usr/local/custom/phpincludes/
safe_mode_exec_dir = /usr/local/custom/phpexec/

Notes:
1) phpexec contains .php scripts that are being access through an apache "alias":
 Alias /CustomScripts "/usr/local/custom/phpexec/"

2) for the example, all files in phpexec and phpincludes are owned by root (0)

3) there are multiple apache process running under different UID's, for example, as user1:user1 (502:502), as user2:user2 (505:505) etc.

Situation:
If a visitor to the website accesses the PHP script via
http://www.domainname.com/CustomScripts/script.php - even though the permissions of the script are 755 (IE, world executable), the script is NOT run as the user that calls the script (ie UID 502).  The script is run as the linux file "owner" which is root (UID 0).  For whatever reason this may be desired, but the problem is, that "script.php" is supposed to access files owned by user1 (UID 502) -- however safe_modedoes NOT allow script.php (UID 0) to access files owned by user1 (UID 502).

To me, this seems ridiculous.  The reason the executables are even placed in the /usr/local/custom/phpexec directory is to allow all apache processes on the server to run the same scripts, without having to install them individually in every instance.  They are owned by a non-webserver user to prevent them from being modified via the web.

Now, since they are being forcibly executed as the non-web user, they cannot access the actual webusers content.

It's like borrowing your neighbors lawnmower, but for some reason, it won't cut your lawn.  It will let you cut his lawn.  It will let him cut his lawn, but for some unknown reason, it won't work when you try to use his lawnmower to cut your own lawn.

QUESTION:  Aside from some possible security concerns that come up with this behavior, does this also qualify as a bug?


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-02-22 08:50 UTC] tony2001@php.net
>the script is NOT run as the user that calls the script (ie UID 502).  
>The script is run as the linux file "owner" which is root (UID 0).
And you know that because .... ?

>safe_mode does NOT allow script.php (UID 0) to 
>access files owned by user1 (UID 502).

Read about safe_mode, that's the whole point - to restrict access between different virtual hosts owned by different users.
 [2006-02-22 18:15 UTC] mike at silverservers dot com
>>the script is NOT run as the user that calls the script (ie UID 502). 
>>The script is run as the linux file "owner" which is root (UID 0).

>And you know that because .... ?

If you try a setup like this you would see what I mean.  The error messages that are generated when UID 502 calls the script owned by UID 0 show that UID 0 is not able to open files owned by UID 502.

>>safe_mode does NOT allow script.php (UID 0) to 
>>access files owned by user1 (UID 502).

>Read about safe_mode, that's the whole point - to restrict access between different virtual hosts owned by different users.

I've read the documentation on safe_mode.  If UID 503 runs the script in the phpexec directory (owned by UID 0) and tried to access the files owned by UID 502 (or anyone other than 503) it should generate an error.  That would be logical.

What's NOT logical, is that UID 503 CANNOT OPEN files owned by UID 503 when using a script in the phpexec directory that is owned by UID 0.  As soon as PHP 'launches' the script in phpexec owned by UID 0, that script is now limited to be able to open files owned by UID 0... So what happens to the priveleges of UID 503 that requested the script to be used anyway?  What is the point of not allowing UID 503 to have it's own files opened when it wants them to be?
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Apr 22 22:01:27 2019 UTC