ID: 20054
User updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Analyzed
Bug Type: Scripting Engine problem
Operating System: Linux - Redhat 7.3
PHP Version: 4.3.0-dev
New Comment:
Just for the record, I wrote a patch for this to allow for paths to be
excluded from the safemode checks basically the same as the include
value does. Posted that the the developers list asking if anyone was
interested, enver got a reply, so I thought I'd add it in here for
completeness sake.
If anyone has any suggestions with what I can do with the patch,
let me know :}
Previous Comments:
------------------------------------------------------------------------
[2002-11-02 01:30:40] [EMAIL PROTECTED]
I've got Apache 2 and PHP 4.3.0-dev on Red Hat 7.2 with /usr/share/pear
in safe_mode_include_dir and I get "SAFE MODE Restriction in effect.
The script whose uid is 502 is not allowed to access
/usr/share/pear/Mail.php owned by uid 0" etc., with 'require_once(
"Mail.php" );' and 'require( "Mail.php" );' and ��'include( "Mail.php"
);' and 'include( "/usr/share/pear/Mail.php" );' and every other
variation I can think to try.
------------------------------------------------------------------------
[2002-10-30 11:37:56] [EMAIL PROTECTED]
The current implementation of safe_mode_include_dir only allows
require/include functions to bypass safe_mode. I've began a discussion
on php-dev on whether or not this should be expanded to include other
file operations. If you have an opinion on the matter, make it known
there (php-dev).
------------------------------------------------------------------------
[2002-10-24 12:17:37] [EMAIL PROTECTED]
Correct version (user tried with snapshot too..)
------------------------------------------------------------------------
[2002-10-24 02:49:22] [EMAIL PROTECTED]
This is possibly related to Bug #17858.
We've got Apache2 on Redhat 7.3, with safemode in php enabled. We
have safe_mode_gid set to on as well. The safe_mode include directory
is set as follows:
safe_mode_include_dir = "/home/staff/ryan/WWW"
I've then got the test script:
<?php
if ($dir = opendir("/home/staff/ryan/WWW"))
{while (($file = readdir($dir)) !== false) {
echo "$file\n";
}
closedir($dir);
} else {
echo "FAILED";
}
?>
That script has the following ownership permissions:
-rw-r--r-- 1 web nobody 229 Oct 24 15:31 test2.php
And /home/staff/ryan/WWW is:
drwxr-xr-x 5 ryan staff 4096 Oct 21 17:30 WWW
Calling the script displays "FAILED" on the browser and causes
the two following errors in the error log:
PHP Warning: opendir() [<a
href='http://www.php.net/function.opendir'>function.opendir</a>]: SAFE
MODE Restriction in effect. The script whose uid/gid is 89/99 is not
allowed to access /home/staff/ryan/WWW/ owned by uid/gid 270/110 in
/home/www/DOCS/phptest/test2.php on line 3
PHP Warning: opendir(/home/staff/ryan/WWW/) [<a
href='http://www.php.net/function.opendir'>function.opendir</a>]:
failed to open dir: Inappropriate ioctl for device in
/home/www/DOCS/phptest/test2.php on line 3
Changing the ownership permissions to the same user and/or group
causes the script to execute fine, displaying the contents with no
problems or errors.
It would appear that the safe_mode_include_dir value is not being
used, but I'm also open to the suggesion that I've stuffed up somewhere
else.
For the record, I originally started having problems with 4.2.2
(user and group returned as -1) this was fixed upgrading to 4.3.0-pre1,
but then the include_dir still had problems. I've tested it with
today's snapshot (php4-200210232100) and still have the same problem.
My config options looks like :
./configure --with-mysql=/usr/local/mysql --with-openssl --with-xml
--enable-track-vars --enable-force-cgi-redirect --enable-versioning
--with-apxs2=/usr/local/httpd/bin/apxs --with-zlib --enable-ftp
--enable-sockets --with-gettext --with-imap=/usr/local/imap
--with-imap-ssl
Ummm, help?
Cheers,
Ryan.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=20054&edit=1
