ID: 44562 Comment by: elettrico at diciannove dot net Reported By: nlgordon at gmail dot com Status: Open Bug Type: Safe Mode/open_basedir Operating System: RHEL 4 PHP Version: 5.2.5 New Comment:
I have the same problem: I want to secure my webserver giving every vhost different open_basedir and different upload_tmp_dir values, like that: <VirtualHost *:80> [...] php_admin_value open_basedir "/home/web1:/home/web1/tmp:/usr/lib/php/" php_admin_value session.save_path "/home/web1/sess/" php_admin_value upload_tmp_dir "/home/web1/tmp/" [...] </VirtualHost> but the tempnam() function seems to ignore these settings and continue to use /tmp, as I can read in the log: [Wed Jun 18 15:11:22 2008] [error] [client x.x.x.x] PHP Warning: tempnam() [<a href='function.tempnam'>function.tempnam</a>]: open_basedir restriction in effect. File(/tmp) is not within the allowed path(s): (/home/web1:/home/web1/tmp:/usr/lib/php/) in /home/web1/test.php on line 2 test.php is this simple piece of code: <? echo tempnam('',''); ?> This is a big problem because a lot of software wish to use tempnam and I don't want to open /tmp to the world. I think this is a major bug. OS: debian etch with backports enabled Previous Comments: ------------------------------------------------------------------------ [2008-03-28 22:14:57] nlgordon at gmail dot com Description: ------------ Given the following scenario: open_basedir enabled to /var/www/foo upload_tmp_dir set to /var/www/foo/tmpdir No free file space to handle the upload in the temp dir specified. Causes PHP to throw an error that doesn't make a lot of sense to my end users: Warning: Unknown: open_basedir restriction in effect. File(/tmp) is not within the allowed path(s): (/var/www/foo/tmpdir) in Unknown on line 0 This makes things look like a permissions issue. I have tracked down the source of the error to main/php_open_temporary_file.c:254 There is a comment there that if the first attempt fails, it will use the system temp dir. While that might be fine on systems without open_basedir enabled, it can cause some confusing error messages otherwise. The error message of "File upload error - unable to create a temporary file" is perfect for this error, and it does show up. It just isn't the first or most noticeable error. I notice that in the php_get_temporary_directory function (which is what determines /tmp as the temp dir) that there are options for changing this default. I plan on setting TMPDIR per vhost as a work around, but this seems unnecessary as I already set upload_tmp_dir. I'm not sure what the perfect answer to this is, but I'm not sure I agree with magically changing something I specifically set without telling me. Some of the extremists might even label this a security issue. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=44562&edit=1