php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38670 Whole 4.4.x branch has problem with open_basedir option nested from Apache2
Submitted: 2006-08-31 12:29 UTC Modified: 2008-07-11 21:18 UTC
Votes:30
Avg. Score:4.6 ± 0.9
Reproduced:26 of 26 (100.0%)
Same Version:11 (42.3%)
Same OS:3 (11.5%)
From: serokka at hrn dot ru Assigned:
Status: Wont fix Package: Apache2 related
PHP Version: 4.4.4 OS: FreeBSD 4.10
Private report: No CVE-ID: None
 [2006-08-31 12:29 UTC] serokka at hrn dot ru
Description:
------------
I got a problem with open_basedir between Apache's (2.0.55) virtual hosts.

This error appeared in 4.4.x branch!
PHP 4.3.11 does NOT have this error.

----------------------------------------
Warning: Unknown(): open_basedir restriction in effect. File(/pub/home/xxxxxxx/tmp) is not within the allowed path(s): (/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/php/lib/php:/usr/local/mysql/bin:/pub/home/yyyyyyyy) in Unknown on line 0
----------------------------------------

This is very serious bug and it stops us from using PHP 4.4.x

Reproduce code:
---------------
<VirtualHost aaa.aaa.aaa.aaa:80>
..............
    php_admin_value doc_root '/pub/home/xxxxxxx'
    php_admin_value upload_tmp_dir '/pub/home/xxxxxxx/tmp'
    php_admin_value session.save_path '/pub/home/xxxxxxx/tmp'
    php_admin_value open_basedir '/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/php/lib/php:/usr/local/
mysql/bin:/pub/home/xxxxxxx'
..............
</VirtualHost>

<VirtualHost aaa.aaa.aaa.aaa:80>
..............
    php_admin_value doc_root '/pub/home/yyyyyyyy'
    php_admin_value upload_tmp_dir '/pub/home/yyyyyyyy/tmp'
    php_admin_value session.save_path '/pub/home/yyyyyyyy/tmp'
    php_admin_value open_basedir '/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/php/lib/php:/usr/local/
mysql/bin:/pub/home/yyyyyyyy'
..............
</VirtualHost>



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-09-16 07:56 UTC] serokka at hrn dot ru
With the latest snapshot we have the same problem.
 [2006-09-16 08:47 UTC] serokka at hrn dot ru
I have checked the diffs of session.c implementations between 4.3.11 and php4-latest-snapshot, here is the same that brought my attention.

As i understand correctly, there is implementation of checking boundaries such as open_basedir at runtime if it was got from Apache VirtualHost section.

So, the problem was from the beginning of 4 branch??? Is there a security leak, cause sessions sometimes got their paths from other VirtualHost???
------------------------------------------------------------
@@ -117,6 +117,20 @@ static PHP_INI_MH(OnUpdateSerializer)
        return SUCCESS;
 }

+static PHP_INI_MH(OnUpdateSaveDir) {
+       /* Only do the safemode/open_basedir check at runtime */
+       if(stage == PHP_INI_STAGE_RUNTIME) {
+               if (PG(safe_mode) && (!php_checkuid(new_value, NULL, CHECKUID_ALLOW_ONLY_DIR))) {
+                       return FAILURE;
+               }
+
+               if (php_check_open_basedir(new_value TSRMLS_CC)) {
+                       return FAILURE;
+               }
+       }
+       OnUpdateString(entry, new_value, new_value_length, mh_arg1, mh_arg2, mh_arg3, stage TSRMLS_CC);
+       return SUCCESS;
+}

 /* {{{ PHP_INI
  */
@@ -124,9 +138,9 @@ PHP_INI_BEGIN()
        STD_PHP_INI_BOOLEAN("session.bug_compat_42",    "1",         PHP_INI_ALL, OnUpdateBool,   bug_compat,         php_ps_glo
bals,    ps_globals)
        STD_PHP_INI_BOOLEAN("session.bug_compat_warn",  "1",         PHP_INI_ALL, OnUpdateBool,   bug_compat_warn,    php_ps_glo
bals,    ps_globals)
 #ifdef PHP_WIN32
-       STD_PHP_INI_ENTRY("session.save_path",          "",      PHP_INI_ALL, OnUpdateString, save_path,          php_ps_globals
,    ps_globals)
+       STD_PHP_INI_ENTRY("session.save_path",          "",          PHP_INI_ALL, OnUpdateSaveDir,save_path,          php_ps_glo
bals,    ps_globals)
 #else
-       STD_PHP_INI_ENTRY("session.save_path",          "/tmp",      PHP_INI_ALL, OnUpdateString, save_path,          php_ps_glo
bals,    ps_globals)
+       STD_PHP_INI_ENTRY("session.save_path",          "/tmp",      PHP_INI_ALL, OnUpdateSaveDir,save_path,          php_ps_glo
bals,    ps_globals)
 #endif
        STD_PHP_INI_ENTRY("session.name",               "PHPSESSID", PHP_INI_ALL, OnUpdateString, session_name,       php_ps_glo
bals,    ps_globals)
        PHP_INI_ENTRY("session.save_handler",           "files",     PHP_INI_ALL, OnUpdateSaveHandler)
 [2006-09-16 10:23 UTC] serokka at hrn dot ru
Also I have made a test, copying new ext/session (php 4.4.4) to old distributive (4.3.11), but i haven't got this Warning.
It seems to be a bug in Apache per VirtualHost php runtime settings at 4.4 branch.
 [2006-09-17 10:19 UTC] tony2001@php.net
Can't replicate it on Linux with Apache2/prefork and worker.
Please check if you can reproduce it with PHP 4.4.2 (there was a change in 4.4.3 that I suspect might have affected it). 
 [2006-09-17 11:30 UTC] serokka at hrn dot ru
I gonna say, that this problem stands still from the start of 4.4 branch (4.4.1, 4.4.2 also).
And i m affraid you should install FreeBSD.
Some steps to repro:
1) FreeBSD 4.9-4.11
2) Apache 2.0.54 prefork (1 VirtualHost in main conf file + 30-40 in included conf file, open_basedir setting in each entry)
3) PHP 4.4.x as module

Result: We have mentioned warning (1 per 20 refreshes of a page), pointing to the first open_basedir value of included conf file (i.e. second VirtualHost!). It appears at displaying ANY file even simple HTML (without php and no .htaccess)!
 [2006-09-17 11:39 UTC] tony2001@php.net
>And i m affraid you should install FreeBSD
Did you really try an other system or are you saying that because you tested it only on Fbsd ?
 [2006-09-17 11:46 UTC] serokka at hrn dot ru
We have FreeBSD 4.9-4.11 on our servers.
So bug was reproduced upon them all.
I dont have real production environment to test it under Linux.
 [2006-09-17 11:59 UTC] tony2001@php.net
And I don't have FreeBSD, so let's wait for someone who can provide me a machine for tests.
 [2006-09-17 15:05 UTC] bjori@php.net
I can't reproduce this on FreeBSD6.1....
 [2006-09-17 21:20 UTC] serokka at hrn dot ru
I can send you compiled binary (php + apache2), if you install comat also, i think you can repro it.
 [2006-11-08 21:45 UTC] tony2001@php.net
See also bug #38566.
 [2006-11-08 22:04 UTC] noc at smartterra dot de
> And I don't have FreeBSD, so let's wait for someone who can provide me a
machine for tests.

"If I can help you to fix this bug, let me know" - surely I can provide you a FreeBSD box. I will set up a machine where the bug can be reproduced. I will come back to you.

Regards,

Falk Brockerhoff
 [2006-11-08 22:25 UTC] tony2001@php.net
No, thanks, we've already figured out that this issue exists only on FreeBSD and only with Apache2, because of some changes done to the Apache engine.
Though, solution is not known yet.
 [2006-11-17 14:33 UTC] ndsrox at gmx dot net
Hey folks,

i, better said my our customers, hat exactly this bug on a linux system! So it`s not limited to FreeBSD.
 [2006-11-28 19:50 UTC] steveny at missiondata dot com
We are having the same issue on:

Fedora Core release 4 
PHP 4.4.4 (./configure --with-apxs2=/web/apache/bin/apxs --with-mysql --with-pgsql --with-gd --with-zlib --with-jpeg-dir --with-gettext --enable-mbstring --enable-track-vars --with-xml --with-curl)
Apache/2.0.55

If there is more info that I can provide, please let me know.  For now, I guess the only option is to pull back to PHP 4.3.11
 [2007-01-11 12:33 UTC] prieler at abm dot at
hi!

i also have this problem.
as already said on some reloads of a simple .jpg image this error occurs:
<br /> <b>Warning</b>: Unknown(): SAFE MODE Restriction in effect. The script whose uid/gid is ... is not allowed to access ... owned by uid/gid ... in <b>Unknown</b> on line <b>0</b><br />
i've testet it with apache 2.2.0 and apache 2.2.4. and on each compiled the phpversions 4.3.11, 4.4.2 and 4.4.4.
Operating-System is a SuSE-Linux 10.0

i think the error comes on the first time i open an image after apache is restarted.
ignore_repeated_errors = On / Off doesn't change anything.

thanks.
 [2007-01-25 21:27 UTC] david at cryptix dot de
I have the same issue on:
Debian Etch
Apache/2.2.3 (Debian) PHP/4.4.4-8 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_chroot/0.5
 [2007-02-19 13:49 UTC] jos at webstekker dot nl
The same problem exists when upgrading from 5.2.0 to 5.2.1 on Windows 2003 Server (web edition).

safe_mode=on, safe_mode_gid=off:

Warning: include() [function.include]: SAFE MODE Restriction in effect. The script whose uid is 1 is not allowed to access ./text/Home.txt owned by uid 0 in E:\wwwroot\test\Home.php on line 14

safe_mode=on, safe_mode_gid=on:

Warning: include() [function.include]: SAFE MODE Restriction in effect. The script whose uid/gid is 1/1 is not allowed to access ./text/Home.txt owned by uid/gid 0/0 in E:\wwwroot\test\Home.php on line 14

This works fine in 5.2.0 without any changes to the server configuration.
 [2007-03-09 07:10 UTC] mspado at hotmail dot com
Hi,

We've experienced this issue numerous times since rolling out Apache2 (2.2.3) with PHP 4 (4.4.2 - yes only 4.4.2 because of http://bugs.php.net/bug.php?id=40514) last week.

Example error 1:
Warning: Unknown(): SAFE MODE Restriction in effect. The script whose
uid/gid is 0/0 is not allowed to access /home/xx/xxx/xxxdomain.net/tmp owned by
uid/gid 306628/100 in Unknown on line 0

Example error 2:
The XML page cannot be displayed
Cannot view XML input using XSL style sheet. Please correct the error and then click the Refresh button, or try again later.
--------------------------------------------------------------------------------
Only one top level element is allowed in an XML document. Error processing resource 'http://www.xxdomain.org/'. ...
<b>Warning</b>: Unknown(): SAFE MODE Restriction in effect. The script whose uid/gid is 0/0 is not allowed to ...
(cut off due to xml doc style error)

Example error 3. This error is especially interesting because you can note that the requested file on yydomain and the allowed path of xxdomain (and no, its not a configuration error):

*Warning*: Unknown(): open_basedir restriction in effect.
File(/home/yy/yy/yydomain.com.au/public/www/admin/index.php) is
not within the allowed path(s):
(/home/xx/xx/xxdomain.org.au/:/usr/local/lib/php:/tmp/php_upload) in
*Unknown* on line *0*

This is a serious bug, we will have to roll back to Apache1.


-- PHP
PHP 4.4.2 (cli) (built: Feb 28 2007 17:14:01)
Copyright (c) 1997-2006 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies

-- Apache
Server version: Apache/2.2.3
Server built:   Feb 28 2007 16:59:03
Server's Module Magic Number: 20051115:3
Server loaded:  APR 1.2.7, APR-Util 1.2.7
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture:   32-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/usr/local/apache2"
 -D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

-- OS
Fedora Core 
Cannot pin it down to being limited to FC3 or FC5 or both.
 [2007-03-09 07:18 UTC] mspado at hotmail dot com
Forgot to say:

A common thread to issues with this bug has been the use of 'php_admin_value upload_tmp_dir /xxx/xxx/xxx/tmp'

M.
 [2007-03-14 10:14 UTC] david dot guenault at gmail dot com
first of all this is my environment
>SLES 10
>Apache 2.0.59 
>Php 4.4.6 

I use virtual host to configure my different web sites like this

<VirtualHost *:80>
  DocumentRoot /data1user/apache/domain.tld
  ServerName www.domain.tld  
  ErrorLog /data1sys/journaux/apache/domain/error_log
  CustomLog /data1sys/journaux/apache/domain/access_log combined

  # specific php configuration for this virtual host
  php_admin_value doc_root /data1user/apache/domain.tld
  php_admin_value session.save_path /data1sys/phpsession_domain.tld    
  php_admin_value file_uploads on
  php_admin_value upload_tmp_dir /data1sys/phpupload_domain.tld
  php_admin_value error_log /data1sys/journaux/apache/testphp/php_domain.tld.log 
</VirtualHost>

I've noticied one interesting thing.

before the error occure i check session.save_path => ok this is the right directory.
When the error occure session.save_path back to the default value (aka /tmp).
apache is running as user usrhttpd and group grphttpd. The top level directory for storing session is /data1sys and is owned by user root and group root. The directory used to store sessions is phpsession_domain.tld under /data1sys and is owned by usrhttpd:grphttpd.
If i change /datasys group to grphttpd the error disapear.
If i remove the directive php_admin_value session.save_path /data1sys/phpsession_domain.tld. from my vhost then all is going right.

hope this help.
 [2007-03-14 13:02 UTC] david dot guenault at gmail dot com
update my precedent post :
if you simply add a trailing slash to session.save_path this will discard the problem. 
here is why :
in safe_mode.c in the function php_checkuid_ex
when mode argument is CHECKUID_ALLOW_ONLY_DIR
at line 119
s = strrchr(filename, DEFAULT_SLASH); 
returns a pointer to the last occurrence of the character / in the string filename. if your path is like this /data1sys/phpsession the pointer is on the second slash not at the end of the path. The uid/gid check is made on the parent folder (/data1sys) not the real folder (/data1sys/phpsession). So when /data1sys is owned by a user that is different from the user running apache, the test fail.
 [2007-04-03 16:10 UTC] marcel dot prisi at virtua dot ch
I got the exact same problem on a FreeBSD-5.5 / Apache-2.0.59 / php-4.4.6 (all from ports)

Adding a trailing slash to session.save_path didn't help, I had to comment it from the virtualhost config in order to have the error go away.

Quite serious I think ...
 [2007-04-24 23:02 UTC] gbjbaanb at users dot sourceforge dot net
I have Apache 2.0.59 with php 4.4.6 just installed and my sites, that worked fine with php_admin_value open_basedir /home/xxx/:/tmp/:xxx inside the vhost configuration now fail.

This is on CentOS 4.4, x86_64.

Quite serious? PHP has a reputation for insecure code, this is not good.
 [2007-06-16 13:04 UTC] noc at smartterra dot de
Update on my first submission on this bug:

I can reproduce it now on FreeBSD 6.2, Apache 2.0.59 and PHP4.4.7. No .htaccess oder any other defined .html-Handler. Loading test.HTML produces this error:

[Sat Jun 16 15:01:17 2007] [error] [client <myclientip>] PHP Warning:  Unknown(): SAFE MODE Restriction in effect.  The script whose uid/gid is 1002/1002 is not allowed to access /usr/local/www/test owned by uid/gid 80/80 in Unknown on line 0
 [2007-07-13 21:14 UTC] lars at erhardsen dot dk
I'm also experiencing this on Linux 2.4.27, Apache 2.0.59 and PHP 4.4.9.

Sometimes, files cannot be found, either resulting in strange file-not-found errors in for instance WordPress or in the safe mode restriction error.

I ran PHP 4.4.0 before, and experienced no problems at all.
 [2008-07-11 21:18 UTC] jani@php.net
We are sorry, but we can not support PHP 4 related problems anymore.
Momentum is gathering for PHP 6, and we think supporting PHP 4 will
lead to a waste of resources which we want to put into getting PHP 6
ready.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 04 22:01:29 2024 UTC