I work for a web hosting / ASP / linux company, and my last problem is using
a standard library (which can be accessed by any php users, like PEAR), and
keeping the secret of other directories.

Solution for the first problem is 'include_path = ".:/path/to/shared/libs",'
and for the second one is 'safe_mode = on.'

Well, it's good enough but there's a little glitch: file ownership.  In safe
mode the interpreter refuses opening files which owner uid is not the same
as the running script's. Eg. I have to copy the stdlib (ohh, those wonderful
days of MudOS mudlib writing!) for each user of each virtual hosts.

I think a safe_mode_checkuid flag would solve the problem.

In stock php 4.0.4pl1 safe_mode is checked by

- sapi/apache/php_apache: AUTHORIZATION env.var is not serviced
- main/fopen-wrappers: fopen wrappers checks for same userid
- main/main: set_time_limit is blocked
- ext/standard/basic_functions: handles safe_mode_(allowed|protected)_env_vars
- ext/standard/dl: dl is blocked
- ext/standard/exec: exec is restricted to safe_mode_exec_dir and ``s are
- ext/standard/file: popen is restricted to safe_mode_exec_dir
  mkdir, rmdir, rename, unlink, copy are privileges-checked
- ext/standard/filestat: chkgrp, chown, chmod, touch are privileges-checked 
  chmod is limited to 0777 (no special rights)
- ext/standard/link: symlink, link are privileges-checked
- ext/posix/posix: mkfifo is privileges-checked
- ext/pgsql/pgsql: pg_loimport is privileges-checked
- ext/filepro/filepro: filepro, filepro_rowcount, filepro_retrieve are
- ext/dbase/dbase: dbase_open, dbase_create are privileges-checked
- ext/db/db: dbmopen is privileges-checked

Check/block summary

env.var block:
  - AUTHORIZATION (only in apache SAPI)
function block:
  - dl
  - set_time_limit
function restrictions: 
  - safe_mode_allowed_env_vars
  - safe_mode_protected_env_vars
  - sanity checks
    mkdir, rmdir, rename, unlink, copy, chkgrp, chown, chmod, touch,
    symlink, link, mkfifo, pg_loimport, filepro, filepro_rowcount,
    filepro_retrieve, dbase_open, dbase_create, dbmopen
  - special access permissions block
  - userid checks


Some things are must-have in safe_mode, but I would put an own flag for each
type (well, the privilege sanity checks don't do any bad, so this type
doesn't need another flag).

Comments? Implementations?
Nagy Balazs, LSC

PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to