From: Andreas dot Ley at rz dot uni-karlsruhe dot de Operating system: PHP version: 4.3.3 PHP Bug Type: Feature/Change Request Bug description: safe_mode ignores uid of files written
Description: ------------ When using PHP as an apache module and safe_mode is on, PHP checks wether the owner of the script and the owner of the directory where a file should be written match. However, this owner and the uid of the apache process which runs the PHP script may be different (multi-user system with one apache but may user homepages). Thus a user may be able to create files which are owned by the apache user - this is a problem when quotas are enabled to restrict user diskspace usage. A solution to this issue would be to also check the uid of the apache process against the owner of the directory. A possible implementation is this patch: http://andy.rz.uni-karlsruhe.de/~andy/source/Patches/php-4.3.3/safe_mode_write-patch This changes PHPs behaviour in a way which may or may not be desirable at different sites, so this should be configurable either in configure or in php.ini. This differs from bug #18407, since I don't want to read apache owned files but need to prevent them created (which circumvents quotas). As gtg782a suggested in the notes at http://www.php.net/manual/en/features.safe-mode.php, another solution would be to (safe and secure) change the owner of the files written; this seems much more complicated to me. -- Edit bug report at http://bugs.php.net/?id=25572&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=25572&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=25572&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=25572&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=25572&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=25572&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=25572&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=25572&r=support Expected behavior: http://bugs.php.net/fix.php?id=25572&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=25572&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=25572&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=25572&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=25572&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=25572&r=dst IIS Stability: http://bugs.php.net/fix.php?id=25572&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=25572&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=25572&r=float
