ID: 33752 Comment by: anton at titov dot net Reported By: mordae at mordae dot net Status: Open Bug Type: Feature/Change Request Operating System: all POSIX PHP Version: 4.3.11 New Comment:
I can do this /I mean to add setting for this/ if you point me if there is somewhere coding rules for writing for PHP. And if you tell me how to submit it when I'm done. You will need somebody to understand the idea and to document it as my English is probably not good enough for it. Anton Titov Host.bg Previous Comments: ------------------------------------------------------------------------ [2005-07-18 20:24:44] mordae at mordae dot net For the first, we all know what PHP does in so-called safe_mode. When using PHP as web server module and create directory or file, it is owned by user running web server, so we have to keep eyes on it's mode. Usually 0757 (0646) is needed. If we use safe_mode, we end up with unaccessible files, because UIDs doesn't match. There has to be some solution of this problem in PHP. I have seen many other, but none seems to be used. What about this one: Add php.ini directive, that will make PHP check UID of all parent directories of accessed file and if any of parent directory is owned by scripts owner, allow access. To improve security, you could also check if all sub-directories are owned by the user, who runs PHP (server) or - again - script owner. See Titov's patch at http://titov.net/safemodepatch/ he probably did it. The problem is, that it's not official and no webhosting is using it. Thank you Mordae And I do apologize. ------------------------------------------------------------------------ [2005-07-18 19:36:15] [EMAIL PROTECTED] >For the first, we all know what PHP does in (un)safe_mode. So tell us, if you know. >There has to be some solution of this problem. What problem? >You have disagreed with all previous What are you talking about? ------------------------------------------------------------------------ [2005-07-18 17:44:19] mordae at mordae dot net Description: ------------ For the first, we all know what PHP does in (un)safe_mode. There has to be some solution of this problem. You have disagreed with all previous, so what about this one: Add php.ini directive, that will make PHP check UID of all parent directories of accessed file in addition of file's and if any of parent directories are owned by correct user, allow access. To improve security, you could also check if all directories "above" are owned by the user, who runs PHP. See Titov's patch at http://titov.net/safemodepatch/ Thank you Mordae ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=33752&edit=1
