From: timo dot hummel at 4fb dot de
Operating system: SuSE Linux 8.2 Linux 2.4.19
PHP version: Irrelevant
PHP Bug Type: *Directory/Filesystem functions
Bug description: SAFE_MODE design issues
Description:
------------
Hello bug processors,
please read the following bug report carefully, as it makes file and
directory operations completely useless. At the end of this report, you
find recommendations about what we should do.
Take a breath, it's quite a bunch of stuff to read and understand.
Remember that the following is only an example, but which could be applied
to almost every system running PHP with SAFE_MODE and where scripts need
to perform file and directory operations.
As you might all know, providers tend to host multiple domains on a single
machine. In the example, Apache runs as the system user "wwwrun", and we
have a client user which has the system user "client". We have the
following script:
<?php
mkdir("test");
?>
in the htdocs directory of the webserver:
-rw-r--r-- 1 client users 24 test.php
given the fact that the directory where test.php resides is owned by
"client", test.php was called via the web and SAFE_MODE is on, the
following happens:
- the directory "test" will be created
- the directory "test" has the owner "wwwrun"
- any further operations with the directory "test" will fail since
SAFE_MODE is on and don't allow any operations on files and/or directories
not owned by the owner of the script
This introduces another problem:
move_uploaded_file will fail in the above scenario. The htdocs directory
of "client" is writable and owned by "client". If now a file is uploaded,
it is stored in the PHP_TEMP_DIR specified in the php.ini with the user
"wwwrun", thus making "move_uploaded_file" fail if it should be moved to
the htdocs-directory of "client".
The big problem with the SAFE_MODE of PHP is maybe a communications
problem, but I try to propose a few solutions:
1.) Modify the SAFE_MODE concept to become consistent. I.e. if a directory
is created with a script owned by "client", the new directory should also
belong to "client" instead of wwwrun, or SAFE_MODE shouldn't check the
owner of the script, but rather the executor of the script.
2.) Modify the documentation of SAFE_MODE and all related file/directory
functions that for the proper operation of file and directory functions,
the owner and executor have to be the same user.
3.) Modify the documentation of SAFE_MODE and all related file/directory
functions that for the proper operation of file and directory functions in
a multi-user/single-executor scenario, safe_mode_gid should be set,
including the correct group rights.
The above problems are one reason why most PHP content management systems
recommend to turn SAFE_MODE off in order to make file uploads working.
The issue was tested with many PHP-Versions on many different systems
(altough I haven't tried PHP 5.0 yet), but I'm looking forward to see the
issue resolved in any way in the future.
best regards,
Timo
--
Edit bug report at http://bugs.php.net/?id=24604&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=24604&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=24604&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=24604&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=24604&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=24604&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=24604&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=24604&r=support
Expected behavior: http://bugs.php.net/fix.php?id=24604&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=24604&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=24604&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=24604&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=24604&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=24604&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=24604&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=24604&r=gnused
