Bug #16042 Updated: mkdir no longer works correcrly (wrong UID)
ID: 16042 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Bogus Bug Type: *Directory/Filesystem functions Operating System: Linux PHP Version: 4.1.2 Assigned To: jflemer New Comment: Actually, this is not a completely bogus claim. Problem is really in safe_mode.c and inconvenient limitations of safe_mode (e.g. see BUG 7204). Mmm, I set safe_mode_include_dir to '/var/www/web' (so I assume that uid/gid of all scripts in '/var/www/web' should be taken in account, is it?) But I've got the same error as here. It's a bug anyway. Problem was sligthly reduced by safe_mode_gid and safe_mode_include_dir. I see the only way: to have an optional php setting for a group (list of such groups?) which may and can to create/own PHP-scripts though they could not in the same group as php itself. Typical usage: developer teams with default different groups (project1, project2 and so on) which differ with www/apache user gid. These groups should be explicitly specified in either php.ini or on per-server basis (php_admin_value). Has it sense? I'm confused by possible overhead on getgrnam. Probably it affects files: safe_mode.c, main.c, php_ini.c. Previous Comments: [2002-03-13 10:23:32] [EMAIL PROTECTED] The second mkdir() will fail with a safe_mode restriction as it should. This is not a bug. Files or directories created by PHP when PHP is running as an Apache module will be owned by the Apache user id. There is simply no way around that given the current state of Apache. And the safe-mode restriction correctly restricts you from creating a directory inside a directory not owned by the same uid as the script. The fact that it worked before was a security problem which was fixed. If you want to be able to do something like this, you should consider using the open_basedir restriction mechanism where all these checks are done based on the base directory and anything the user does within/beneath that base directory is ok. Please read http://www.php.net/manual/en/features.safe-mode.php and http://www.php.net/manual/en/configuration.php#ini.open-basedir [2002-03-13 10:05:44] [EMAIL PROTECTED] Is it creating the first directory testfolder, or does it fail on the first mkdir()? [2002-03-13 10:02:07] [EMAIL PROTECTED] Which working version were you using prior ? [2002-03-13 09:57:46] [EMAIL PROTECTED] This is NOT a support question! We have lost 37 websites in the last few days due to a BUG in the security update. Come on people! I provided a sample script not because I need help, but because I thought you did. We are hacking into the php core now to get it running again as we are a hosting service and ALL AND EVERY WEBSITE USING PHP's mkdir function do not work because of a problem (READ BUG) with the uid setup. [2002-03-13 09:49:59] [EMAIL PROTECTED] The bug system is not the appropriate forum for asking support questions. For a list of a range of more appropriate places to ask for help using PHP, please visit http://www.php.net/support.php The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/16042 -- Edit this bug report at http://bugs.php.net/?id=16042edit=1
Bug #16042 Updated: mkdir no longer works correcrly (wrong UID)
ID: 16042
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Open
+Status: Bogus
Bug Type: *Directory/Filesystem functions
Operating System: Linux
PHP Version: 4.1.2
New Comment:
The bug system is not the appropriate forum for asking support
questions. For a list of a range of more appropriate places to ask
for help using PHP, please visit http://www.php.net/support.php
Previous Comments:
[2002-03-13 09:26:53] [EMAIL PROTECTED]
ENV:
Linux 2.2.19/apache 1.3.23/ Safe mode on, latest security
update
The following simple scripts no longer work:
?
mkdir('/var/www/web/test/testfolder' , 0777);
mkdir('/var/www/web/test/testfolder/another', 0777);
?
It generates: SAFE MODE Restriction in effect. The script
whose uid is 48561 is not allowed to
access /var/www/web/test/testfolder owned by uid 98 in ..
--
Edit this bug report at http://bugs.php.net/?id=16042edit=1
Bug #16042 Updated: mkdir no longer works correcrly (wrong UID)
ID: 16042
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Bogus
+Status: Feedback
Bug Type: *Directory/Filesystem functions
Operating System: Linux
PHP Version: 4.1.2
New Comment:
Which working version were you using prior ?
Previous Comments:
[2002-03-13 09:57:46] [EMAIL PROTECTED]
This is NOT a support question!
We have lost 37 websites in the last few days due to a BUG
in the security update. Come on people! I provided a
sample script not because I need help, but because I
thought you did. We are hacking into the php core now to
get it running again as we are a hosting service and ALL
AND EVERY WEBSITE USING PHP's mkdir function do not work
because of a problem (READ BUG) with the uid setup.
[2002-03-13 09:49:59] [EMAIL PROTECTED]
The bug system is not the appropriate forum for asking support
questions. For a list of a range of more appropriate places to ask
for help using PHP, please visit http://www.php.net/support.php
[2002-03-13 09:26:53] [EMAIL PROTECTED]
ENV:
Linux 2.2.19/apache 1.3.23/ Safe mode on, latest security
update
The following simple scripts no longer work:
?
mkdir('/var/www/web/test/testfolder' , 0777);
mkdir('/var/www/web/test/testfolder/another', 0777);
?
It generates: SAFE MODE Restriction in effect. The script
whose uid is 48561 is not allowed to
access /var/www/web/test/testfolder owned by uid 98 in ..
--
Edit this bug report at http://bugs.php.net/?id=16042edit=1
Bug #16042 Updated: mkdir no longer works correcrly (wrong UID)
ID: 16042
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Feedback
+Status: Bogus
Bug Type: *Directory/Filesystem functions
Operating System: Linux
PHP Version: 4.1.2
-Assigned To:
+Assigned To: jflemer
Previous Comments:
[2002-03-13 10:02:07] [EMAIL PROTECTED]
Which working version were you using prior ?
[2002-03-13 09:57:46] [EMAIL PROTECTED]
This is NOT a support question!
We have lost 37 websites in the last few days due to a BUG
in the security update. Come on people! I provided a
sample script not because I need help, but because I
thought you did. We are hacking into the php core now to
get it running again as we are a hosting service and ALL
AND EVERY WEBSITE USING PHP's mkdir function do not work
because of a problem (READ BUG) with the uid setup.
[2002-03-13 09:49:59] [EMAIL PROTECTED]
The bug system is not the appropriate forum for asking support
questions. For a list of a range of more appropriate places to ask
for help using PHP, please visit http://www.php.net/support.php
[2002-03-13 09:26:53] [EMAIL PROTECTED]
ENV:
Linux 2.2.19/apache 1.3.23/ Safe mode on, latest security
update
The following simple scripts no longer work:
?
mkdir('/var/www/web/test/testfolder' , 0777);
mkdir('/var/www/web/test/testfolder/another', 0777);
?
It generates: SAFE MODE Restriction in effect. The script
whose uid is 48561 is not allowed to
access /var/www/web/test/testfolder owned by uid 98 in ..
--
Edit this bug report at http://bugs.php.net/?id=16042edit=1
Bug #16042 Updated: mkdir no longer works correcrly (wrong UID)
ID: 16042
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Bogus
+Status: Feedback
Bug Type: *Directory/Filesystem functions
Operating System: Linux
PHP Version: 4.1.2
Assigned To: jflemer
New Comment:
Is it creating the first directory testfolder, or does it fail on the
first mkdir()?
Previous Comments:
[2002-03-13 10:02:07] [EMAIL PROTECTED]
Which working version were you using prior ?
[2002-03-13 09:57:46] [EMAIL PROTECTED]
This is NOT a support question!
We have lost 37 websites in the last few days due to a BUG
in the security update. Come on people! I provided a
sample script not because I need help, but because I
thought you did. We are hacking into the php core now to
get it running again as we are a hosting service and ALL
AND EVERY WEBSITE USING PHP's mkdir function do not work
because of a problem (READ BUG) with the uid setup.
[2002-03-13 09:49:59] [EMAIL PROTECTED]
The bug system is not the appropriate forum for asking support
questions. For a list of a range of more appropriate places to ask
for help using PHP, please visit http://www.php.net/support.php
[2002-03-13 09:26:53] [EMAIL PROTECTED]
ENV:
Linux 2.2.19/apache 1.3.23/ Safe mode on, latest security
update
The following simple scripts no longer work:
?
mkdir('/var/www/web/test/testfolder' , 0777);
mkdir('/var/www/web/test/testfolder/another', 0777);
?
It generates: SAFE MODE Restriction in effect. The script
whose uid is 48561 is not allowed to
access /var/www/web/test/testfolder owned by uid 98 in ..
--
Edit this bug report at http://bugs.php.net/?id=16042edit=1
Bug #16042 Updated: mkdir no longer works correcrly (wrong UID)
ID: 16042
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Feedback
+Status: Bogus
Bug Type: *Directory/Filesystem functions
Operating System: Linux
PHP Version: 4.1.2
Assigned To: jflemer
New Comment:
The second mkdir() will fail with a safe_mode restriction as it should.
This is not a bug. Files or directories created by PHP when PHP is
running as an Apache module will be owned by the Apache user id. There
is simply no way around that given the current state of Apache. And
the safe-mode restriction correctly restricts you from creating a
directory inside a directory not owned by the same uid as the script.
The fact that it worked before was a security problem which was fixed.
If you want to be able to do something like this, you should consider
using the open_basedir restriction mechanism where all these checks are
done based on the base directory and anything the user does
within/beneath that base directory is ok.
Please read http://www.php.net/manual/en/features.safe-mode.php and
http://www.php.net/manual/en/configuration.php#ini.open-basedir
Previous Comments:
[2002-03-13 10:05:44] [EMAIL PROTECTED]
Is it creating the first directory testfolder, or does it fail on the
first mkdir()?
[2002-03-13 10:02:07] [EMAIL PROTECTED]
Which working version were you using prior ?
[2002-03-13 09:57:46] [EMAIL PROTECTED]
This is NOT a support question!
We have lost 37 websites in the last few days due to a BUG
in the security update. Come on people! I provided a
sample script not because I need help, but because I
thought you did. We are hacking into the php core now to
get it running again as we are a hosting service and ALL
AND EVERY WEBSITE USING PHP's mkdir function do not work
because of a problem (READ BUG) with the uid setup.
[2002-03-13 09:49:59] [EMAIL PROTECTED]
The bug system is not the appropriate forum for asking support
questions. For a list of a range of more appropriate places to ask
for help using PHP, please visit http://www.php.net/support.php
[2002-03-13 09:26:53] [EMAIL PROTECTED]
ENV:
Linux 2.2.19/apache 1.3.23/ Safe mode on, latest security
update
The following simple scripts no longer work:
?
mkdir('/var/www/web/test/testfolder' , 0777);
mkdir('/var/www/web/test/testfolder/another', 0777);
?
It generates: SAFE MODE Restriction in effect. The script
whose uid is 48561 is not allowed to
access /var/www/web/test/testfolder owned by uid 98 in ..
--
Edit this bug report at http://bugs.php.net/?id=16042edit=1
