From: support at nfrance dot com
Operating system: OpenBSD/FreeBSD
PHP version: Irrelevant
PHP Bug Type: *Directory/Filesystem functions
Bug description: safe mode bypassed
Description:
------------
When changing permissions on a directory safe mode restrictions for php
scripts in this directory can be bypassed
When directory in chmod 755 safe mode works as exepted, bot not anymore in
chmod 751
(note that php run as apache module ans /etc/passwd is of course not owned
by the same user as apache is running)
This has been seen on 3 differents servers, 2 with OpenBSD and one with
FreeBSD
Tested with PHP 4.2.2 with follonwing configure commands :
'./configure' '--enable-safe-mode' '--enable-memory-limit'
'--with-pgsql=/usr/local/pgsql/' '--with- mysql=/usr/local'
'--with-imagic' '--enable-track-vars'
'--with-imap=/usr/local/src/imap-2001a' '--with- gd=/usr/local'
'--with-jpeg-dir=/usr/local' '--with-png-dir=/usr/local' '--with-t1lib'
'--with-ttf' '-- enable-magic-quotes' '--enable-roxen-zts' '--enable-ftp'
'--enable-calendar' '--with-gdbm' '-- enable-zlib=/usr' '--with-gettext'
'--with-xml' '--with-dom' '--with-zlib-dir=/usr' '--enable-bcmath'
'--with-apache=/usr/local/src/apache_1.3.27'
Tested again after having upgraded to PHP 4.3.4 (and having upgraded
apache too) with a clean php.ini and the bug is still active
However, we've tested on others FreeBSD servers with the same PHP version
without any problem. Of course configuration was different ont those
servers, but it is not normal that safe mode can be bypassed so easily
whatever the environment.
Please advise !
Reproduce code:
---------------
<?
$fp = fopen("/etc/passwd","r");
$data = fgets($fp,255);
echo "$data<BR>";
fclose($fp);
?>
(bug has been see with readfile() too)
Expected result:
----------------
Current directory permissions :
drwxr-xr-x 2 fred fred 512 Feb 17 10:58 .
Result :
Warning: SAFE MODE Restriction in effect. The script whose uid is 1003 is
not allowed to access /etc/passwd owned by uid 0 in /home/fred/
test/etcpasswd.php on line 3
Warning: fopen("/etc/passwd", "r") - Inappropriate ioctl for device in
/home/fred/test/etcpasswd.php on line 3
Warning: fgets(): supplied argument is not a valid File-Handle resource in
/home/fred/test/etcpasswd.php on line 5
Warning: fclose(): supplied argument is not a valid File-Handle resource
in /home/fred/test/etcpasswd.php on line 9
Actual result:
--------------
Current directory permissions (noting else changed) :
drwxr-x--x 2 fred fred 512 Feb 17 10:58 .
Result :
# $FreeBSD: src/etc/master.passwd,v 1.25.2.5 2002/02/10 11:43:37 obrien
Exp $
--
Edit bug report at http://bugs.php.net/?id=27364&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=27364&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=27364&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=27364&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=27364&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=27364&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=27364&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=27364&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=27364&r=support
Expected behavior: http://bugs.php.net/fix.php?id=27364&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=27364&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=27364&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=27364&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=27364&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=27364&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=27364&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=27364&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=27364&r=float
