From: [EMAIL PROTECTED]
Operating system: Linux
PHP version: 4.0.4pl1
PHP Bug Type: PHP options/info functions
Bug description: No trivial way to bypass safe mode when running as a shell
I keep PHP both as an apache module and as a standalone shell,
However, to be responsible, I need safe mode for the apache module and so it's in the
.ini file.
But when I run the script from a standalone shell from suexec, PHP insists on
reading the .ini, going into safe mode, and then setuid's -1, from which there is
no recovery.
There is no way around this except to compile each version with a separate
config-file-path, one path has a config without safe_mode and one does.
Scenario:
script file has same owner uid as POSIX getuid()
script is being executed through a shell (#!/usr/local/bin/php)
You cannot specify an alternate config file from the shell invocation when being
executed from suexec -- it
will keep on reporting, "No input file specified" (which is an entirely separate
issue.)
There should be an option for the shell not to enter safe-mode, and it could be
specified as part
of the shell invocation line in the script, (ie #!/usr/local/bin/php --no-safe-mode)
I think if some restriction control could be placed in the .ini file to restrict who
is allowed to perform that function, that would safe enough.
Bram
--
Edit Bug report at: http://bugs.php.net/?id=9516&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
