robert mena wrote --- napísal::
Marek,

but the program was executed using a system call from a php script.

- rt

And that's what I mean. Every fopen call (almost) in the php binary is wrapped around the safe mode checks. But once you leave the php binary, or even load a php module that does not use this wrapper, safe mode does not work anymore.



On Wed, 30 Jun 2004 23:50:02 +0200, Marek Kilimajer <[EMAIL PROTECTED]> wrote:

robert mena wrote --- napísal::


Hi,

I host a few virtual domains in apache 2 and use php.

The virtual domain is something like

<VirtualHost a.b.c.d:80>
       ServerAdmin [EMAIL PROTECTED]
       DocumentRoot /home/httpd/html/domain.com
       ServerName www.domain.com
       ErrorLog   logs/domain.com-error_log
       CustomLog  logs/domain.com-access_log combined
       ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/
       <Directory /home/httpd/html/domain.com/>
               AllowOverride AuthConfig Limit
               php_admin_value doc_root "/home/httpd/html/domain.com/"
               php_admin_flag safe_mode on
               php_admin_value open_basedir "/home/httpd/html/domain.com:/tmp/"
       </Directory>
</VirtualHost>

Recently I had a minor problem with a user that uploaded via ftp a php
script in his domain and this domain used exec/system etc to call
perl, read files.

Shouldn't the settings above retrict such thing ?


no, this setting affects only php, not programs executed from php

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php





-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php



Reply via email to