I was experiment with safe mode on 3.0.2a (Apache-1.3.0 on DU4.0) and found 
something unexpected. I was working on a script to create a new file in a 
directory owned by the script and writable by the web server (running under 
http). I found that I could create a file even though the directory was owned 
as someone other than the script owner (but still writable by the web server).

I tracked this down to  php3_fopen_wrapper routine in fopen-wrappers.c where a 
call was made to _php3_checkuid(path, 1). My query is that this should be 
_php3_checkuid(path, 2). as well

My quick patch is

*** fopen-wrappers.c    Tue Aug 11 10:57:15 1998
--- fopen-wrappers.c.orig       Mon Aug 10 16:01:16 1998
***************
*** 108,114 ****
        if (options & USE_PATH && php3_ini.include_path != NULL) {
                return php3_fopen_with_path(path, mode, php3_ini.include_path, NULL);
        } else {
!               if (options & ENFORCE_SAFE_MODE && php3_ini.safe_mode && !(_php3_checkuid(path, 1)&&_php3_checkuid(path, 2))) {
                        php3_error(E_WARNING, "SAFE MODE Restriction in effect.  Invalid owner of file to be read.");
                        return NULL;
                }
--- 108,114 ----
        if (options & USE_PATH && php3_ini.include_path != NULL) {
                return php3_fopen_with_path(path, mode, php3_ini.include_path, NULL);
        } else {
!               if (options & ENFORCE_SAFE_MODE && php3_ini.safe_mode && (!_php3_checkuid(path, 1))) {
                        php3_error(E_WARNING, "SAFE MODE Restriction in effect.  Invalid owner of file to be read.");
                        return NULL;
                }