Bug #14076 Updated: fopen() and touch() fail to create file under safe mode
ID: 14076 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: No Feedback +Status: Open Bug Type: *Directory/Filesystem functions Operating System: Linux PHP Version: 4.0.6 Previous Comments: [2002-05-04 03:55:59] [EMAIL PROTECTED] I don't seem to be able to change the status to Open... How do I do it?! [2002-05-04 03:53:18] [EMAIL PROTECTED] Erm... Hajo provided feedback. [2002-05-04 00:00:04] [EMAIL PROTECTED] No feedback was provided for this bug for over a month, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open". [2002-04-17 03:35:34] [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: >I could not reproduce this issue. >Here's my layout for the virtual server (from httpd.conf) The symlink has to be *within* path_to_site, e.g.: /var/www/ = symlink to /mnt/sda1/www /var/www/domain.com = apache document_root = php open_basedir Please see my posting from 16 Jan 1:21pm for details ( http://bugs.php.net/bug.php?id=14076 ). Hajo [2002-04-16 07:33:57] [EMAIL PROTECTED] I could not reproduce this issue. Here's my layout for the virtual server (from httpd.conf): DocumentRoot /path_to_site/html Options FollowSymLinks php_admin_value open_basedir path_to_sitephp_admin_value doc_root path_to_site php_admin_value safe_mode_include_dir path_to_site safe_mode=on in php.ini PHP version: both 4.0.6 and 4.2.0RC2 create PHP-script at "path_to_site/html/scriptname" create directory "path_to_site/html/test" writable by the apache user, then make symlink "path_to_site/html/test2" to that directory lynx http://sitename/scriptname gives "Resource id#1" No errors found in php_error_log, looked at path_to_site/html/test2/ and saw there both 1.txt contained "test" and xxx subdirectory. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/14076 -- Edit this bug report at http://bugs.php.net/?id=14076&edit=1
Bug #14076 Updated: fopen() and touch() fail to create file under safe mode
ID: 14076 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: No Feedback Bug Type: *Directory/Filesystem functions Operating System: Linux PHP Version: 4.0.6 New Comment: I don't seem to be able to change the status to Open... How do I do it?! Previous Comments: [2002-05-04 03:53:18] [EMAIL PROTECTED] Erm... Hajo provided feedback. [2002-05-04 00:00:04] [EMAIL PROTECTED] No feedback was provided for this bug for over a month, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open". [2002-04-17 03:35:34] [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: >I could not reproduce this issue. >Here's my layout for the virtual server (from httpd.conf) The symlink has to be *within* path_to_site, e.g.: /var/www/ = symlink to /mnt/sda1/www /var/www/domain.com = apache document_root = php open_basedir Please see my posting from 16 Jan 1:21pm for details ( http://bugs.php.net/bug.php?id=14076 ). Hajo [2002-04-16 07:33:57] [EMAIL PROTECTED] I could not reproduce this issue. Here's my layout for the virtual server (from httpd.conf): DocumentRoot /path_to_site/html Options FollowSymLinks php_admin_value open_basedir path_to_sitephp_admin_value doc_root path_to_site php_admin_value safe_mode_include_dir path_to_site safe_mode=on in php.ini PHP version: both 4.0.6 and 4.2.0RC2 create PHP-script at "path_to_site/html/scriptname" create directory "path_to_site/html/test" writable by the apache user, then make symlink "path_to_site/html/test2" to that directory lynx http://sitename/scriptname gives "Resource id#1" No errors found in php_error_log, looked at path_to_site/html/test2/ and saw there both 1.txt contained "test" and xxx subdirectory. [2002-04-03 15:38:25] [EMAIL PROTECTED] Unfortunately this bug is *not* fixed in 4.2.0rc1. I can reproduce both problems (fopen fails if file does not exist / safe_mode_includedir does not work). If I use "real" path statements (e.g. /mnt/hda7/web/file.php instead of /var/web/file.php) everything works fine (please see my previous posts to #14076) Let me know if I can help with more tests or debug output. It would be very nice to have this problem fixed in the next release. Hajo The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/14076 -- Edit this bug report at http://bugs.php.net/?id=14076&edit=1
Bug #14076 Updated: fopen() and touch() fail to create file under safe mode
ID: 14076 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: No Feedback Bug Type: *Directory/Filesystem functions Operating System: Linux PHP Version: 4.0.6 New Comment: Erm... Hajo provided feedback. Previous Comments: [2002-05-04 00:00:04] [EMAIL PROTECTED] No feedback was provided for this bug for over a month, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open". [2002-04-17 03:35:34] [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: >I could not reproduce this issue. >Here's my layout for the virtual server (from httpd.conf) The symlink has to be *within* path_to_site, e.g.: /var/www/ = symlink to /mnt/sda1/www /var/www/domain.com = apache document_root = php open_basedir Please see my posting from 16 Jan 1:21pm for details ( http://bugs.php.net/bug.php?id=14076 ). Hajo [2002-04-16 07:33:57] [EMAIL PROTECTED] I could not reproduce this issue. Here's my layout for the virtual server (from httpd.conf): DocumentRoot /path_to_site/html Options FollowSymLinks php_admin_value open_basedir path_to_sitephp_admin_value doc_root path_to_site php_admin_value safe_mode_include_dir path_to_site safe_mode=on in php.ini PHP version: both 4.0.6 and 4.2.0RC2 create PHP-script at "path_to_site/html/scriptname" create directory "path_to_site/html/test" writable by the apache user, then make symlink "path_to_site/html/test2" to that directory lynx http://sitename/scriptname gives "Resource id#1" No errors found in php_error_log, looked at path_to_site/html/test2/ and saw there both 1.txt contained "test" and xxx subdirectory. [2002-04-03 15:38:25] [EMAIL PROTECTED] Unfortunately this bug is *not* fixed in 4.2.0rc1. I can reproduce both problems (fopen fails if file does not exist / safe_mode_includedir does not work). If I use "real" path statements (e.g. /mnt/hda7/web/file.php instead of /var/web/file.php) everything works fine (please see my previous posts to #14076) Let me know if I can help with more tests or debug output. It would be very nice to have this problem fixed in the next release. Hajo [2002-04-03 11:59:12] [EMAIL PROTECTED] This should be fixed. Please see www.php.net/~derick for the latest RC for 4.2.0m, and report back. Derick The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/14076 -- Edit this bug report at http://bugs.php.net/?id=14076&edit=1
Bug #14076 Updated: fopen() and touch() fail to create file under safe mode
ID: 14076 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Feedback +Status: No Feedback Bug Type: *Directory/Filesystem functions Operating System: Linux PHP Version: 4.0.6 New Comment: No feedback was provided for this bug for over a month, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open". Previous Comments: [2002-04-17 03:35:34] [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: >I could not reproduce this issue. >Here's my layout for the virtual server (from httpd.conf) The symlink has to be *within* path_to_site, e.g.: /var/www/ = symlink to /mnt/sda1/www /var/www/domain.com = apache document_root = php open_basedir Please see my posting from 16 Jan 1:21pm for details ( http://bugs.php.net/bug.php?id=14076 ). Hajo [2002-04-16 07:33:57] [EMAIL PROTECTED] I could not reproduce this issue. Here's my layout for the virtual server (from httpd.conf): DocumentRoot /path_to_site/html Options FollowSymLinks php_admin_value open_basedir path_to_sitephp_admin_value doc_root path_to_site php_admin_value safe_mode_include_dir path_to_site safe_mode=on in php.ini PHP version: both 4.0.6 and 4.2.0RC2 create PHP-script at "path_to_site/html/scriptname" create directory "path_to_site/html/test" writable by the apache user, then make symlink "path_to_site/html/test2" to that directory lynx http://sitename/scriptname gives "Resource id#1" No errors found in php_error_log, looked at path_to_site/html/test2/ and saw there both 1.txt contained "test" and xxx subdirectory. [2002-04-03 15:38:25] [EMAIL PROTECTED] Unfortunately this bug is *not* fixed in 4.2.0rc1. I can reproduce both problems (fopen fails if file does not exist / safe_mode_includedir does not work). If I use "real" path statements (e.g. /mnt/hda7/web/file.php instead of /var/web/file.php) everything works fine (please see my previous posts to #14076) Let me know if I can help with more tests or debug output. It would be very nice to have this problem fixed in the next release. Hajo [2002-04-03 11:59:12] [EMAIL PROTECTED] This should be fixed. Please see www.php.net/~derick for the latest RC for 4.2.0m, and report back. Derick [2002-04-03 11:56:31] [EMAIL PROTECTED] This bug still exists in PHP 4.1.2. A similiar problem also affects safe_mode_include_dir (path-statements containing symlinks do not work: "The script whose uid is 1234 is not allowed to access /my/safe_mode_include_path/with/symlink/mail.php owned by uid 0"). Could someone *please* fix this ? Hajo The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/14076 -- Edit this bug report at http://bugs.php.net/?id=14076&edit=1
Bug #14076 Updated: fopen() and touch() fail to create file under safe mode
ID: 14076 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Feedback Bug Type: *Directory/Filesystem functions Operating System: Linux PHP Version: 4.0.6 New Comment: [EMAIL PROTECTED] wrote: >I could not reproduce this issue. >Here's my layout for the virtual server (from httpd.conf) The symlink has to be *within* path_to_site, e.g.: /var/www/ = symlink to /mnt/sda1/www /var/www/domain.com = apache document_root = php open_basedir Please see my posting from 16 Jan 1:21pm for details ( http://bugs.php.net/bug.php?id=14076 ). Hajo Previous Comments: [2002-04-16 07:33:57] [EMAIL PROTECTED] I could not reproduce this issue. Here's my layout for the virtual server (from httpd.conf): DocumentRoot /path_to_site/html Options FollowSymLinks php_admin_value open_basedir path_to_sitephp_admin_value doc_root path_to_site php_admin_value safe_mode_include_dir path_to_site safe_mode=on in php.ini PHP version: both 4.0.6 and 4.2.0RC2 create PHP-script at "path_to_site/html/scriptname" create directory "path_to_site/html/test" writable by the apache user, then make symlink "path_to_site/html/test2" to that directory lynx http://sitename/scriptname gives "Resource id#1" No errors found in php_error_log, looked at path_to_site/html/test2/ and saw there both 1.txt contained "test" and xxx subdirectory. [2002-04-03 15:38:25] [EMAIL PROTECTED] Unfortunately this bug is *not* fixed in 4.2.0rc1. I can reproduce both problems (fopen fails if file does not exist / safe_mode_includedir does not work). If I use "real" path statements (e.g. /mnt/hda7/web/file.php instead of /var/web/file.php) everything works fine (please see my previous posts to #14076) Let me know if I can help with more tests or debug output. It would be very nice to have this problem fixed in the next release. Hajo [2002-04-03 11:59:12] [EMAIL PROTECTED] This should be fixed. Please see www.php.net/~derick for the latest RC for 4.2.0m, and report back. Derick [2002-04-03 11:56:31] [EMAIL PROTECTED] This bug still exists in PHP 4.1.2. A similiar problem also affects safe_mode_include_dir (path-statements containing symlinks do not work: "The script whose uid is 1234 is not allowed to access /my/safe_mode_include_path/with/symlink/mail.php owned by uid 0"). Could someone *please* fix this ? Hajo [2002-01-17 14:59:12] [EMAIL PROTECTED] I've verified that this problem still exists in PHP 4.1.1. Hajo Noerenberg The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/14076 -- Edit this bug report at http://bugs.php.net/?id=14076&edit=1
Bug #14076 Updated: fopen() and touch() fail to create file under safe mode
ID: 14076 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Feedback Bug Type: *Directory/Filesystem functions Operating System: Linux PHP Version: 4.0.6 New Comment: I could not reproduce this issue. Here's my layout for the virtual server (from httpd.conf): DocumentRoot /path_to_site/html Options FollowSymLinks php_admin_value open_basedir path_to_sitephp_admin_value doc_root path_to_site php_admin_value safe_mode_include_dir path_to_site safe_mode=on in php.ini PHP version: both 4.0.6 and 4.2.0RC2 create PHP-script at "path_to_site/html/scriptname" create directory "path_to_site/html/test" writable by the apache user, then make symlink "path_to_site/html/test2" to that directory lynx http://sitename/scriptname gives "Resource id#1" No errors found in php_error_log, looked at path_to_site/html/test2/ and saw there both 1.txt contained "test" and xxx subdirectory. Previous Comments: [2002-04-03 15:38:25] [EMAIL PROTECTED] Unfortunately this bug is *not* fixed in 4.2.0rc1. I can reproduce both problems (fopen fails if file does not exist / safe_mode_includedir does not work). If I use "real" path statements (e.g. /mnt/hda7/web/file.php instead of /var/web/file.php) everything works fine (please see my previous posts to #14076) Let me know if I can help with more tests or debug output. It would be very nice to have this problem fixed in the next release. Hajo [2002-04-03 11:59:12] [EMAIL PROTECTED] This should be fixed. Please see www.php.net/~derick for the latest RC for 4.2.0m, and report back. Derick [2002-04-03 11:56:31] [EMAIL PROTECTED] This bug still exists in PHP 4.1.2. A similiar problem also affects safe_mode_include_dir (path-statements containing symlinks do not work: "The script whose uid is 1234 is not allowed to access /my/safe_mode_include_path/with/symlink/mail.php owned by uid 0"). Could someone *please* fix this ? Hajo [2002-01-17 14:59:12] [EMAIL PROTECTED] I've verified that this problem still exists in PHP 4.1.1. Hajo Noerenberg [2002-01-16 13:42:52] [EMAIL PROTECTED] As a workaround you can use relative paths in all of your fopen()-calls: fopen("./test.html") always works (I think php prepends the *expanded path* then -- see the last paragraph in my previous comment). Hajo The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/14076 -- Edit this bug report at http://bugs.php.net/?id=14076&edit=1
Bug #14076 Updated: fopen() and touch() fail to create file under safe mode
ID: 14076 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Feedback Bug Type: *Directory/Filesystem functions Operating System: Linux PHP Version: 4.0.6 New Comment: Unfortunately this bug is *not* fixed in 4.2.0rc1. I can reproduce both problems (fopen fails if file does not exist / safe_mode_includedir does not work). If I use "real" path statements (e.g. /mnt/hda7/web/file.php instead of /var/web/file.php) everything works fine (please see my previous posts to #14076) Let me know if I can help with more tests or debug output. It would be very nice to have this problem fixed in the next release. Hajo Previous Comments: [2002-04-03 11:59:12] [EMAIL PROTECTED] This should be fixed. Please see www.php.net/~derick for the latest RC for 4.2.0m, and report back. Derick [2002-04-03 11:56:31] [EMAIL PROTECTED] This bug still exists in PHP 4.1.2. A similiar problem also affects safe_mode_include_dir (path-statements containing symlinks do not work: "The script whose uid is 1234 is not allowed to access /my/safe_mode_include_path/with/symlink/mail.php owned by uid 0"). Could someone *please* fix this ? Hajo [2002-01-17 14:59:12] [EMAIL PROTECTED] I've verified that this problem still exists in PHP 4.1.1. Hajo Noerenberg [2002-01-16 13:42:52] [EMAIL PROTECTED] As a workaround you can use relative paths in all of your fopen()-calls: fopen("./test.html") always works (I think php prepends the *expanded path* then -- see the last paragraph in my previous comment). Hajo [2002-01-16 13:21:11] [EMAIL PROTECTED] This problem has nothing to do with wrong file/directory modes. I'm quite sure that it is a bug in the PHP-realpath-code. Please consider the following setup layout: /var/www/ = symlink to /mnt/sda1/www /var/www/domain.com = apache document_root = php open_basedir /var/www/domain.com/test.html = test file for fopen() I've added some debug code to fopen_wrappers.c : php_error(E_NOTICE, "check_specific_open_basedir ( comparing resolved name %s to resolved_basedir %s )", resolved_name, resolved_basedir); if (strncmp(resolved_basedir, resolved_name, strlen(resolved_basedir)) == 0) { Trying to fopen("/var/www/domain.com/test.html") results in two cases: 1. /var/www/domain.com/test.html already exists PHP Warning: check_specific_open_basedir ( comparing resolved name /mnt/sda1/www/domain.com/test.html to resolved_basedir /mnt/sda1/www/domain.com/test.html ) -> fopen() succeeds 2. /var/www/domain.com/test.html does *not* exist PHP Warning: check_specific_open_basedir ( comparing resolved name /var/www/domain.com/test.html to resolved_basedir /mnt/sda1/www/domain.com/test.html ) -> fopen() fails with "open basedir restriction in effect"-error As you can see in the debug output, PHP does not correctly expand the file path if the file does not exists ! Trying to fopen("/mnt/sda1/www/domain.com/test.html") always succeeds because PHP does not need to expand the filename anymore (-> strncmp is always true ). Hajo (Linux 2.2 - PHP 4.0.6 - afaik the problem still exists in 4.1.X) The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/14076 -- Edit this bug report at http://bugs.php.net/?id=14076&edit=1
Bug #14076 Updated: fopen() and touch() fail to create file under safe mode
ID: 14076 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Feedback Bug Type: *Directory/Filesystem functions Operating System: Linux PHP Version: 4.0.6 New Comment: This should be fixed. Please see www.php.net/~derick for the latest RC for 4.2.0m, and report back. Derick Previous Comments: [2002-04-03 11:56:31] [EMAIL PROTECTED] This bug still exists in PHP 4.1.2. A similiar problem also affects safe_mode_include_dir (path-statements containing symlinks do not work: "The script whose uid is 1234 is not allowed to access /my/safe_mode_include_path/with/symlink/mail.php owned by uid 0"). Could someone *please* fix this ? Hajo [2002-01-17 14:59:12] [EMAIL PROTECTED] I've verified that this problem still exists in PHP 4.1.1. Hajo Noerenberg [2002-01-16 13:42:52] [EMAIL PROTECTED] As a workaround you can use relative paths in all of your fopen()-calls: fopen("./test.html") always works (I think php prepends the *expanded path* then -- see the last paragraph in my previous comment). Hajo [2002-01-16 13:21:11] [EMAIL PROTECTED] This problem has nothing to do with wrong file/directory modes. I'm quite sure that it is a bug in the PHP-realpath-code. Please consider the following setup layout: /var/www/ = symlink to /mnt/sda1/www /var/www/domain.com = apache document_root = php open_basedir /var/www/domain.com/test.html = test file for fopen() I've added some debug code to fopen_wrappers.c : php_error(E_NOTICE, "check_specific_open_basedir ( comparing resolved name %s to resolved_basedir %s )", resolved_name, resolved_basedir); if (strncmp(resolved_basedir, resolved_name, strlen(resolved_basedir)) == 0) { Trying to fopen("/var/www/domain.com/test.html") results in two cases: 1. /var/www/domain.com/test.html already exists PHP Warning: check_specific_open_basedir ( comparing resolved name /mnt/sda1/www/domain.com/test.html to resolved_basedir /mnt/sda1/www/domain.com/test.html ) -> fopen() succeeds 2. /var/www/domain.com/test.html does *not* exist PHP Warning: check_specific_open_basedir ( comparing resolved name /var/www/domain.com/test.html to resolved_basedir /mnt/sda1/www/domain.com/test.html ) -> fopen() fails with "open basedir restriction in effect"-error As you can see in the debug output, PHP does not correctly expand the file path if the file does not exists ! Trying to fopen("/mnt/sda1/www/domain.com/test.html") always succeeds because PHP does not need to expand the filename anymore (-> strncmp is always true ). Hajo (Linux 2.2 - PHP 4.0.6 - afaik the problem still exists in 4.1.X) [2001-11-19 13:50:10] [EMAIL PROTECTED] Well, the fact that it can create a *new directory* in the same directory, already means that the apache process has sufficient permissions to also create a file in it. However, these are the permissions: webedit@penguin:/var/www/tmp/submit$ ls -lad ./ drwxrwx--- 18 webedit www 4096 Nov 15 19:13 ./ Apache runs as user `www', and the scripts are owned by user `webedit'. Note that the directory is owned by the same user as the script, and writeable to Apache, so the requirements of safe mode are met. Thank you for your response. -- Arcady Genkin The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/14076 -- Edit this bug report at http://bugs.php.net/?id=14076&edit=1
Bug #14076 Updated: fopen() and touch() fail to create file under safe mode
ID: 14076 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Open Bug Type: *Directory/Filesystem functions Operating System: Linux PHP Version: 4.0.6 New Comment: This bug still exists in PHP 4.1.2. A similiar problem also affects safe_mode_include_dir (path-statements containing symlinks do not work: "The script whose uid is 1234 is not allowed to access /my/safe_mode_include_path/with/symlink/mail.php owned by uid 0"). Could someone *please* fix this ? Hajo Previous Comments: [2002-01-17 14:59:12] [EMAIL PROTECTED] I've verified that this problem still exists in PHP 4.1.1. Hajo Noerenberg [2002-01-16 13:42:52] [EMAIL PROTECTED] As a workaround you can use relative paths in all of your fopen()-calls: fopen("./test.html") always works (I think php prepends the *expanded path* then -- see the last paragraph in my previous comment). Hajo [2002-01-16 13:21:11] [EMAIL PROTECTED] This problem has nothing to do with wrong file/directory modes. I'm quite sure that it is a bug in the PHP-realpath-code. Please consider the following setup layout: /var/www/ = symlink to /mnt/sda1/www /var/www/domain.com = apache document_root = php open_basedir /var/www/domain.com/test.html = test file for fopen() I've added some debug code to fopen_wrappers.c : php_error(E_NOTICE, "check_specific_open_basedir ( comparing resolved name %s to resolved_basedir %s )", resolved_name, resolved_basedir); if (strncmp(resolved_basedir, resolved_name, strlen(resolved_basedir)) == 0) { Trying to fopen("/var/www/domain.com/test.html") results in two cases: 1. /var/www/domain.com/test.html already exists PHP Warning: check_specific_open_basedir ( comparing resolved name /mnt/sda1/www/domain.com/test.html to resolved_basedir /mnt/sda1/www/domain.com/test.html ) -> fopen() succeeds 2. /var/www/domain.com/test.html does *not* exist PHP Warning: check_specific_open_basedir ( comparing resolved name /var/www/domain.com/test.html to resolved_basedir /mnt/sda1/www/domain.com/test.html ) -> fopen() fails with "open basedir restriction in effect"-error As you can see in the debug output, PHP does not correctly expand the file path if the file does not exists ! Trying to fopen("/mnt/sda1/www/domain.com/test.html") always succeeds because PHP does not need to expand the filename anymore (-> strncmp is always true ). Hajo (Linux 2.2 - PHP 4.0.6 - afaik the problem still exists in 4.1.X) [2001-11-19 13:50:10] [EMAIL PROTECTED] Well, the fact that it can create a *new directory* in the same directory, already means that the apache process has sufficient permissions to also create a file in it. However, these are the permissions: webedit@penguin:/var/www/tmp/submit$ ls -lad ./ drwxrwx--- 18 webedit www 4096 Nov 15 19:13 ./ Apache runs as user `www', and the scripts are owned by user `webedit'. Note that the directory is owned by the same user as the script, and writeable to Apache, so the requirements of safe mode are met. Thank you for your response. -- Arcady Genkin [2001-11-19 12:37:01] [EMAIL PROTECTED] Post please the mod of your directory and tell me the user and group of your apache. Maybe the apache dont have rights to create a new file in your directory but he owns the newfile and can remove/edit this file. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/14076 -- Edit this bug report at http://bugs.php.net/?id=14076&edit=1