From:             [EMAIL PROTECTED]
Operating system: Linux
PHP version:      4.0.4pl1
PHP Bug Type:     PHP options/info functions
Bug description:  No trivial way to bypass safe mode when running as a shell

I keep PHP both as an apache module and as a standalone shell,

However, to be responsible, I need safe mode for the apache module and so it's in the 
.ini file.

But when I run the script from a standalone shell from suexec, PHP insists on
reading the .ini, going into safe mode, and then setuid's -1, from which there is
no recovery.

There is no way around this except to compile each version with a separate 
config-file-path, one path has a config without safe_mode and one does.

    script file has same owner uid as POSIX getuid()
    script is being executed through a shell (#!/usr/local/bin/php)

You cannot specify an alternate config file from the shell invocation when being 
executed from suexec -- it
will keep on reporting, "No input file specified" (which is an entirely separate 

There should be an option for the shell not to enter safe-mode, and it could be 
specified as part
of the shell invocation line in the script, (ie #!/usr/local/bin/php --no-safe-mode)  
I think if some restriction control could be placed in the .ini file to restrict who 
is allowed to perform that function, that would safe enough.


Edit Bug report at:

PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to