ID: 44562
Comment by: elettrico at diciannove dot net
Reported By: nlgordon at gmail dot com
Status: Open
Bug Type: Safe Mode/open_basedir
Operating System: RHEL 4
PHP Version: 5.2.5
New Comment:
I have the same problem: I want to secure my webserver giving every
vhost different open_basedir and different upload_tmp_dir values, like
that:
<VirtualHost *:80>
[...]
php_admin_value open_basedir
"/home/web1:/home/web1/tmp:/usr/lib/php/"
php_admin_value session.save_path "/home/web1/sess/"
php_admin_value upload_tmp_dir "/home/web1/tmp/"
[...]
</VirtualHost>
but the tempnam() function seems to ignore these settings and continue
to use /tmp, as I can read in the log:
[Wed Jun 18 15:11:22 2008] [error] [client x.x.x.x] PHP Warning:
tempnam() [<a href='function.tempnam'>function.tempnam</a>]:
open_basedir restriction in effect. File(/tmp) is not within the allowed
path(s): (/home/web1:/home/web1/tmp:/usr/lib/php/) in
/home/web1/test.php on line 2
test.php is this simple piece of code:
<?
echo tempnam('','');
?>
This is a big problem because a lot of software wish to use tempnam and
I don't want to open /tmp to the world.
I think this is a major bug.
OS: debian etch with backports enabled
Previous Comments:
------------------------------------------------------------------------
[2008-03-28 22:14:57] nlgordon at gmail dot com
Description:
------------
Given the following scenario:
open_basedir enabled to /var/www/foo
upload_tmp_dir set to /var/www/foo/tmpdir
No free file space to handle the upload in the temp dir specified.
Causes PHP to throw an error that doesn't make a lot of sense to my end
users:
Warning: Unknown: open_basedir restriction in effect. File(/tmp) is not
within the allowed path(s): (/var/www/foo/tmpdir) in Unknown on line 0
This makes things look like a permissions issue. I have tracked down
the source of the error to main/php_open_temporary_file.c:254 There is
a comment there that if the first attempt fails, it will use the system
temp dir. While that might be fine on systems without open_basedir
enabled, it can cause some confusing error messages otherwise. The
error message of "File upload error - unable to create a temporary file"
is perfect for this error, and it does show up. It just isn't the first
or most noticeable error.
I notice that in the php_get_temporary_directory function (which is
what determines /tmp as the temp dir) that there are options for
changing this default. I plan on setting TMPDIR per vhost as a work
around, but this seems unnecessary as I already set upload_tmp_dir.
I'm not sure what the perfect answer to this is, but I'm not sure I
agree with magically changing something I specifically set without
telling me. Some of the extremists might even label this a security
issue.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=44562&edit=1
