php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #8963 using shared PHP libraries in safe_mode
Submitted: 2001-01-28 05:36 UTC Modified: 2006-10-27 00:49 UTC
From: js at lsc dot hu Assigned:
Status: Not a bug Package: Feature/Change Request
PHP Version: 4.0.4pl1 OS: Linux Red Hat 7.0 / i386
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
48 + 35 = ?
Subscribe to this entry?

 
 [2001-01-28 05:36 UTC] js at lsc dot hu
When I set

include_path = ".:/usr/share/php"

to access shared libraries and

safe_mode = On

is set, users cannot use files in /usr/share/php, just because there're userid check in main/fopen_wrappers.c. It means in safe mode you can include files with the same owner userid only, as the controlling file (eg. which contains that include or require).

My opinion: checks, mandatory blockings and security enhancements should be distinguished via a new entry in php.ini.

Excerpt of my previous mail:

Check/block summary

env.var block:
  - AUTHORIZATION (only in apache SAPI)
function block:
  - dl
  - set_time_limit
function restrictions:
  - safe_mode_allowed_env_vars
  - safe_mode_protected_env_vars
privileges
  - sanity checks
    mkdir, rmdir, rename, unlink, copy, chkgrp, chown, chmod, touch,
    symlink, link, mkfifo, pg_loimport, filepro, filepro_rowcount,
    filepro_retrieve, dbase_open, dbase_create, dbmopen
  - special access permissions block
    chmod
  - userid checks
    fopen

Conclusion

Some things are must-have in safe_mode, but I would put an own flag for each type (well, the privilege sanity checks don't do any bad, so this type doesn't need another flag).

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-01-28 18:07 UTC] sniper@php.net
safe_mode has to be rewritten anyway..reclassified as feature/change request.

--Jani
 [2006-10-27 00:49 UTC] rasmus@php.net
Safe mode is gone now, so this doesn't apply anymore.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Oct 26 02:03:38 2021 UTC