Hi,
I work for a web hosting / ASP / linux company, and my last problem is using
a standard library (which can be accessed by any php users, like PEAR), and
keeping the secret of other directories.
Solution for the first problem is 'include_path = ".:/path/to/shared/libs",'
and for the second one is 'safe_mode = on.'
Well, it's good enough but there's a little glitch: file ownership. In safe
mode the interpreter refuses opening files which owner uid is not the same
as the running script's. Eg. I have to copy the stdlib (ohh, those wonderful
days of MudOS mudlib writing!) for each user of each virtual hosts.
I think a safe_mode_checkuid flag would solve the problem.
In stock php 4.0.4pl1 safe_mode is checked by
- sapi/apache/php_apache: AUTHORIZATION env.var is not serviced
- main/fopen-wrappers: fopen wrappers checks for same userid
- main/main: set_time_limit is blocked
- ext/standard/basic_functions: handles safe_mode_(allowed|protected)_env_vars
- ext/standard/dl: dl is blocked
- ext/standard/exec: exec is restricted to safe_mode_exec_dir and ``s are
blocked
- ext/standard/file: popen is restricted to safe_mode_exec_dir
mkdir, rmdir, rename, unlink, copy are privileges-checked
- ext/standard/filestat: chkgrp, chown, chmod, touch are privileges-checked
chmod is limited to 0777 (no special rights)
- ext/standard/link: symlink, link are privileges-checked
- ext/posix/posix: mkfifo is privileges-checked
- ext/pgsql/pgsql: pg_loimport is privileges-checked
- ext/filepro/filepro: filepro, filepro_rowcount, filepro_retrieve are
privileges-checked
- ext/dbase/dbase: dbase_open, dbase_create are privileges-checked
- ext/db/db: dbmopen is privileges-checked
Check/block summary
env.var block:
- AUTHORIZATION (only in apache SAPI)
function block:
- dl
- set_time_limit
function restrictions:
- safe_mode_allowed_env_vars
- safe_mode_protected_env_vars
privileges
- sanity checks
mkdir, rmdir, rename, unlink, copy, chkgrp, chown, chmod, touch,
symlink, link, mkfifo, pg_loimport, filepro, filepro_rowcount,
filepro_retrieve, dbase_open, dbase_create, dbmopen
- special access permissions block
chmod
- userid checks
fopen
Conclusion
Some things are must-have in safe_mode, but I would put an own flag for each
type (well, the privilege sanity checks don't do any bad, so this type
doesn't need another flag).
Comments? Implementations?
--
Nagy Balazs, LSC
http://www.lsc.hu/
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
