If you care about this problem, upgrade to 4.2.0 when it's available. -- Yasuo Ohgaki
Patrick Cossette wrote: > I'm running PHP 4.1.2 as an Apache module (Apache 1.3.24) under AIX 4.3.3. > > My problem has been covered in Bug #13447 but I still have it and the bug > was under Windows 2000 but I'm running AIX. It's a security > problem with "unlink". My site runs as the user "web" but different parts of > my site are modified by different developpers. Since all > files are owned by "web", I set up an open_basedir so each developper is > limited to make file operations on his directory-tree. My > problem is that this setup does not prevent unlinking, which means that one > can delete files that are not under his directory-tree, and > I do not want that. With the following setup, fopen and include are > restricted by openbasedir, which is good. But one can unlink a file > even if it's not under his directory-tree. I have the following in > httpd.conf: > > <Directory "/u/uq/web/www.uqtr.ca/"> > Options Indexes Includes FollowSymLinks > AllowOverride None > Order allow,deny > Allow from all > <IfModule mod_php4.c> > AddType application/x-httpd-php .php > php_flag engine on > php_admin_value safe_mode 1 > php_admin_value safe_mode_exec_dir "/u/uq/web/www.uqtr.ca/" > php_admin_value doc_root "/u/uq/web/www.uqtr.ca/" > php_admin_value open_basedir "/u/uq/web/www.uqtr.ca/" > php_admin_value user_dir "/u/uq/web/www.uqtr.ca/" > </IfModule> > </Directory> > > > The file testerase.php is in /u/uq/web/www.uqtr.ca and contains this: > > <?php > include ('/u/uq/web/entete.uqtr.ca/file_to_include'); // THE INCLUDE DOES NOT WORK: >IT'S RESTRICTED BY OPEN_BASEDIR AND I'M GLAD > unlink ('/u/uq/web/entete.uqtr.ca/file_to_delete'); // THE UNLINK WORKS: NO >RESTRICTION AT ALL AND I'M UNHAPPY > ?> > > I need help. Is it possible to bypass file deletion permission and restrict > the directories in which to unlink? > > Thanks, > > Patrick > [EMAIL PROTECTED] > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php