ID: 19709 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Bogus Bug Type: Filesystem function related Operating System: Linux PHP Version: 4.2.2 New Comment:
Sorry, but the bug system is not the appropriate forum for asking support questions. Your problem does not imply a bug in PHP itself. For a list of more appropriate places to ask for help using PHP, please visit http://www.php.net/support.php Thank you for your interest in PHP. That's why you should setup open_basedir for each user (virtual host) that prevents users from opening files that are otuside of their home/web directory. The uploaded files via PHP will always be owned by the webserver, there is no way to avoid this unless you use PHP as cgi. Previous Comments: ------------------------------------------------------------------------ [2002-10-02 04:07:24] [EMAIL PROTECTED] I'm using php as Apache module in an hosting environment with safe_mode On. Every user transfer their script via FTP so every script has his own UID and the php execution can be safe (it cannot access to files of other domains), but if somebody upload a php script (via upload or via a script create by another php script) this script get owner and group nobody:nobody (nobody is the apache users). So if somebody upload a malicious script that try to open the script owned by nobody (this uploaded or installed by php too) of another users he get successful. Is this normal or it's a "bug" ? I've noticed this because a lot of users use phpnuke/postnuke so their configuration files are store in .php.inc files that are owned by nobody, if another users know this could read other's files and password. Regards. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=19709&edit=1
