PHP :: Bug #36467 :: odd safe_mode restriction and possible security concern

Bug #36467

odd safe_mode restriction and possible security concern

Submitted:

2006-02-20 18:16 UTC

Modified:

2006-02-22 18:15 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

mike at silverservers dot com

Assigned:

Status:

Not a bug

Package:

Safe Mode/open_basedir

PHP Version:

4.4.2

OS:

CentOS 4.2

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 25 + 28 = ?
Subscribe to this entry?

[2006-02-20 18:16 UTC] mike at silverservers dot com

Description:
------------
I believe this is a bug in safe_mode. I have posted this to newsgroups but no one would touch it.

Scenario:
safe_mode On
safe_mode_gid = On
safe_mode_include_dir = /usr/local/custom/phpincludes/
safe_mode_exec_dir = /usr/local/custom/phpexec/

Notes:
1) phpexec contains .php scripts that are being access through an apache "alias":
Alias /CustomScripts "/usr/local/custom/phpexec/"

2) for the example, all files in phpexec and phpincludes are owned by root (0)

3) there are multiple apache process running under different UID's, for example, as user1:user1 (502:502), as user2:user2 (505:505) etc.

Situation:
If a visitor to the website accesses the PHP script via
http://www.domainname.com/CustomScripts/script.php - even though the permissions of the script are 755 (IE, world executable), the script is NOT run as the user that calls the script (ie UID 502). The script is run as the linux file "owner" which is root (UID 0). For whatever reason this may be desired, but the problem is, that "script.php" is supposed to access files owned by user1 (UID 502) -- however safe_modedoes NOT allow script.php (UID 0) to access files owned by user1 (UID 502).

To me, this seems ridiculous. The reason the executables are even placed in the /usr/local/custom/phpexec directory is to allow all apache processes on the server to run the same scripts, without having to install them individually in every instance. They are owned by a non-webserver user to prevent them from being modified via the web.

Now, since they are being forcibly executed as the non-web user, they cannot access the actual webusers content.

It's like borrowing your neighbors lawnmower, but for some reason, it won't cut your lawn. It will let you cut his lawn. It will let him cut his lawn, but for some unknown reason, it won't work when you try to use his lawnmower to cut your own lawn.

QUESTION: Aside from some possible security concerns that come up with this behavior, does this also qualify as a bug?

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-02-22 08:50 UTC] tony2001@php.net

>the script is NOT run as the user that calls the script (ie UID 502).  
>The script is run as the linux file "owner" which is root (UID 0).
And you know that because .... ?

>safe_mode does NOT allow script.php (UID 0) to 
>access files owned by user1 (UID 502).

Read about safe_mode, that's the whole point - to restrict access between different virtual hosts owned by different users.

[2006-02-22 18:15 UTC] mike at silverservers dot com

>>the script is NOT run as the user that calls the script (ie UID 502). 
>>The script is run as the linux file "owner" which is root (UID 0).

>And you know that because .... ?

If you try a setup like this you would see what I mean.  The error messages that are generated when UID 502 calls the script owned by UID 0 show that UID 0 is not able to open files owned by UID 502.

>>safe_mode does NOT allow script.php (UID 0) to 
>>access files owned by user1 (UID 502).

>Read about safe_mode, that's the whole point - to restrict access between different virtual hosts owned by different users.

I've read the documentation on safe_mode.  If UID 503 runs the script in the phpexec directory (owned by UID 0) and tried to access the files owned by UID 502 (or anyone other than 503) it should generate an error.  That would be logical.

What's NOT logical, is that UID 503 CANNOT OPEN files owned by UID 503 when using a script in the phpexec directory that is owned by UID 0.  As soon as PHP 'launches' the script in phpexec owned by UID 0, that script is now limited to be able to open files owned by UID 0... So what happens to the priveleges of UID 503 that requested the script to be used anyway?  What is the point of not allowing UID 503 to have it's own files opened when it wants them to be?

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 17:01:30 2024 UTC