ID: 40425
Comment by: bugs at nazarenko dot net
Reported By: priappub at yahoo dot fr
Status: No Feedback
Bug Type: Safe Mode/open_basedir
Operating System: Solaris 10
PHP Version: 5.2.1
New Comment:
Since there was no feedback here I was about to open a new bug for this
issue. I decided to test again with the latest php5.2-200708011630
snapshot and now it seems to work fine!
Well sort of... The CLI script I use for testing above takes the UID
and GID of the script file and not of the user who launches the script.
Has this bug been really addressed?
Is this the intended "correct" behaviour?
Could anybody please officially comment on this?
Previous Comments:
------------------------------------------------------------------------
[2007-07-30 16:46:33] bugs at nazarenko dot net
There is no reaction for a week now... As I am not the original
submitter of the bug I cannot change its status to 'Open'.
Is anybody following this up or should I open a new bug for this issue?
------------------------------------------------------------------------
[2007-07-23 16:59:12] bugs at nazarenko dot net
I can confirm a very similar bug on Solaris 10 SPARC Update 3 with the
latest php5.2-200707231430 snapshot.
Here is the testing script /tmp/test.php:
<?php
echo "safe = " . (ini_get('safe_mode') ? "On" : "Off") . "\n";
echo "uid = " . getmyuid() . "\n";
echo "gid = " . getmygid() . "\n";
echo file_get_contents('/etc/passwd');
?>
I have performed these commands in PHP source directory (as root):
cd /tmp/php5.2-200707231430
./configure --disable-all --disable-cgi --enable-safe-mode
make
I login with a user account (uid:gid 2010:605)
cd /tmp/php5.2-200707231430/sapi/cli
./php test.php
The output is the following:
safe = On
uid = 0
gid = 1004
........ and then the contents of the '/etc/passwd' file.
Actually it does not matter which user is executing this script. It
always returns uid:gid as 0:1004 (even for a root user). It also does
not matter whether 'Safe Mode' is On or Off. This makes 'Safe Mode'
practically useless on the machine, as all the scripts run with root's
uid.
At first I thought that the gid 1004 is coming out of the blue, because
I do not have any groups with such id. Then I saw that the files in PHP
source tarball as well as the compiled binary in 'sapi/cli' directory
have uig:gid 1004:1004. So it would be logical to assume that all of
that is somehow related. I tried to change the uid:gid of the compiled
binary but it did not change the behaviour. I guess something goes wrong
during the compilation phase.
I cannot provide access to this machine at the moment, but I could
arrange it if really was required. Otherwise I am happy to do any other
additional testing that could be useful.
------------------------------------------------------------------------
[2007-03-21 01:00:00] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
------------------------------------------------------------------------
[2007-03-13 20:42:40] [EMAIL PROTECTED]
Sure, but they can't be in the same directory in the same time.
------------------------------------------------------------------------
[2007-03-13 20:35:27] priappub at yahoo dot fr
The 2 versions are not working at the same time.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/40425
--
Edit this bug report at http://bugs.php.net/?id=40425&edit=1
