[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] safe_mode php do not seems to behave correctly
- Subject: [cobalt-users] safe_mode php do not seems to behave correctly
- From: bib <bib@xxxxxxxxxxxxx>
- Date: Wed Apr 30 16:35:10 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Dear all,
Newbe on the RaQ550 and PHP environment, I'm trying to get php running in
safe_mode. In my understanding of the official php documentation, a php
script under safe_mode & mod_php may open a file only and only if the owner
of the file to open is the same as the owner of the script. Unfortunatly,
"fopen" function doesn't seems to produce the awaited behaviour.
Let's try an example: John Dee is administrator of virtual site
my.domain.com (site1).
We have following elements:
---------------------------
A) An extract of /etc/httpd/php.ini
safe_mode = On
safe_mode_exec_dir = /usr/local/php_safe ; nothing in there
at time
safe_mode_allowed_env_vars = PHP_
safe_mode_protected_env_vars = LD_LIBRARY_PATH
B) Directories perms and ownerships at /home/sites/my.domain.com/
drwxrws--- 2 root site1 48 Apr 4 12:18 certs
drwxr-s--x 3 SITE1-lo site1 93 Apr 26 10:37 logs
drwxr-sr-x 2 johndee site1 84 Apr 28 16:45 prot
drwxrwsr-x 2 nobody site1 37 Apr 4 11:50 users
drwxrws--x 9 johndee site1 4096 Apr 28 16:40 web
Please notice: as we don't make use of frontpage, we have set the
"web" dir ownership to "johndee" insteed of "nobody"
C) A text file: /home/sites/my.domain.com/web/action_params3.txt
Perms: 640
Owner: johndee:site1
Content:
# Syntaxe:
# <myFirst> <mySecond> <myThird> <myFourth>
firstValue secondValue thirdValue fourthValue
D) A php file : /home/sites/my.domain.com/web/action_config3.php
Perms: 644
Owner: johndee:site1
Listing:
<?php
// this script reads a text file, filtering out lines of comments
// and empty lines. Reads the unique usefull line made of
// 4 space delimited strings and sets 4 variables accordingly.
$paramFile="action_params3.txt";
if (!$paramFileFd=fopen($paramFile, "r")) {
echo ("<br><br>Error: Can't open requested file.<br><br>");
} else {
while (!feof ($paramFileFd)) {
$paramLine = trim( fgets($paramFileFd,1024) );
if ( strlen( $paramLine ) == 0 || ereg("^#.*$", $paramLine ) ) {
continue;
} else {
list($myFirst,$mySecond,$myThird,$myFourth)=explode(" ",$paramLine);
break;
}
}
fclose( $paramFileFd );
}
?>
E) An index file to show result: /home/sites/maui.siw.ch/web/index.php
Perms: 644
Owner: johndee:site1
Relevant part:
<p>
<?
include( "action_config3.php" );
echo ( "myFirst = $myFirst <br>" );
echo ( "mySecond = $mySecond <br>" );
echo ( "myThird = $myThird <br>" );
echo ( "myFourth = $myFourth <br>" );
?>
</p>
Now to the tests:
-----------------
1. Running this script brough following error:
Warning: fopen(action_params3.txt)
[function.fopen]: failed to create stream:
Permission denied in
/home/.sites/28/site1/web/action_config3.php
on line 8
2. Now, back to C).
Change permission of text file
/home/sites/my.domain.com/web/action_params3.txt
from 640 to 644 and refresh the page.
It runs without problem.
3. Then change ownership of the same file to the existing owner/group of
another vsite,
lets say for example helena:site27
Script run without problem too at refresh time !!
My question: how may I achieve correct behaviour i.e: leting a php script
in safe_mode/mod_php
open a file only and only if it is owned by the same user as the script
that try to open it ?
Many thanks in advance for your tips or pointer to usefull hints.
Kindest regards
Bertrand