From: support at nfrance dot com Operating system: OpenBSD/FreeBSD PHP version: Irrelevant PHP Bug Type: *Directory/Filesystem functions Bug description: safe mode bypassed
Description: ------------ When changing permissions on a directory safe mode restrictions for php scripts in this directory can be bypassed When directory in chmod 755 safe mode works as exepted, bot not anymore in chmod 751 (note that php run as apache module ans /etc/passwd is of course not owned by the same user as apache is running) This has been seen on 3 differents servers, 2 with OpenBSD and one with FreeBSD Tested with PHP 4.2.2 with follonwing configure commands : './configure' '--enable-safe-mode' '--enable-memory-limit' '--with-pgsql=/usr/local/pgsql/' '--with- mysql=/usr/local' '--with-imagic' '--enable-track-vars' '--with-imap=/usr/local/src/imap-2001a' '--with- gd=/usr/local' '--with-jpeg-dir=/usr/local' '--with-png-dir=/usr/local' '--with-t1lib' '--with-ttf' '-- enable-magic-quotes' '--enable-roxen-zts' '--enable-ftp' '--enable-calendar' '--with-gdbm' '-- enable-zlib=/usr' '--with-gettext' '--with-xml' '--with-dom' '--with-zlib-dir=/usr' '--enable-bcmath' '--with-apache=/usr/local/src/apache_1.3.27' Tested again after having upgraded to PHP 4.3.4 (and having upgraded apache too) with a clean php.ini and the bug is still active However, we've tested on others FreeBSD servers with the same PHP version without any problem. Of course configuration was different ont those servers, but it is not normal that safe mode can be bypassed so easily whatever the environment. Please advise ! Reproduce code: --------------- <? $fp = fopen("/etc/passwd","r"); $data = fgets($fp,255); echo "$data<BR>"; fclose($fp); ?> (bug has been see with readfile() too) Expected result: ---------------- Current directory permissions : drwxr-xr-x 2 fred fred 512 Feb 17 10:58 . Result : Warning: SAFE MODE Restriction in effect. The script whose uid is 1003 is not allowed to access /etc/passwd owned by uid 0 in /home/fred/ test/etcpasswd.php on line 3 Warning: fopen("/etc/passwd", "r") - Inappropriate ioctl for device in /home/fred/test/etcpasswd.php on line 3 Warning: fgets(): supplied argument is not a valid File-Handle resource in /home/fred/test/etcpasswd.php on line 5 Warning: fclose(): supplied argument is not a valid File-Handle resource in /home/fred/test/etcpasswd.php on line 9 Actual result: -------------- Current directory permissions (noting else changed) : drwxr-x--x 2 fred fred 512 Feb 17 10:58 . Result : # $FreeBSD: src/etc/master.passwd,v 1.25.2.5 2002/02/10 11:43:37 obrien Exp $ -- Edit bug report at http://bugs.php.net/?id=27364&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=27364&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=27364&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=27364&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=27364&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=27364&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=27364&r=needscript Try newer version: http://bugs.php.net/fix.php?id=27364&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=27364&r=support Expected behavior: http://bugs.php.net/fix.php?id=27364&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=27364&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=27364&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=27364&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=27364&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=27364&r=dst IIS Stability: http://bugs.php.net/fix.php?id=27364&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=27364&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=27364&r=float