Re: [PHP] Safe mode story

2008-05-14 Thread Philip Thompson

On May 11, 2008, at 12:06 AM, admin wrote:

[snip!]


Safe mode has _got_ to be there for some good reason.


Read on about PHP6




Scroll down to where the title is "Things removed" - notice that  
'safe_mode' is listed. It may have been put in originally for a good  
reason, but since then deprecated.


HTH,

~Philip


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] Safe mode story

2008-05-11 Thread Wolf
You could try having apache run as the UID of the user.  With a few 
modifications to apache site config and you should be golden!

HTH,
Wolf

-Original Message-
From: admin <[EMAIL PROTECTED]>
Sent: Sunday, May 11, 2008 1:06 AM
To: php-general@lists.php.net
Subject: [PHP] Safe mode story

Hi all,

I'm running a Plesk 8.3 mass hosting server equipped with PHP 5.1.6 on 
CentOS 5, and I'm facing the problem of PHP "Safe mode" barfing at the 
UID mismatch of PHP scripts uploaded by user's FTP UID, and later 
executed by Apache UID, where user's PHP scripts thusly uploaded attempt 
to write any files while doing their job.

Is there an educated solution? What if I relax safe mode checks to gid 
(safe_mode_gid=On), and given that GID is psacln for every Plesk-hosted 
customer, with only UIDs being different, is there any risk that folks 
operating on their own chmod 660 files will be able to overwrite other 
people's chmod 660 files? Or will open_basedir be enough to prevent 
unwanted PHP level file access while relaxing safe mode uid check at the 
same time? (by default, it is properly set by Plesk in 
%mysite%/conf/httpd.include) ?

BTW, safe_mode_exec_dir is empty by default, does it mean if I do set 
safe_mode_gid then users will be able to exec other Plesk users' cgi-bin 
scripts etc. because of GIDs being equal??

Safe mode has _got_ to be there for some good reason.

Thanks in advance for any tips.

-- 


[The entire original message is not included]


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] safe mode question

2006-01-09 Thread James Benson
Your php.ini should have root as its owner and be set to 600, if your 
using apache server then apache must start as root, the php.ini file is 
read only once by root when the server starts - so that setting should 
not cause problems, however if using the cli then you should also make 
/etc/php.ini readable by all other users (permissions 644).


Not sure why the suse folks would put both --enable-cli and 
--disable-cli but i notice they also have --with-pear and 
--without-pear, which takes precedence im not completely sure but would 
think the last one would so you probably have pear and the cli installed 
despite the --disable and --without lines, if i remember correctly the 
cli is required to use pear so --disable-cli would force --without-pear, 
i would suggest you compile your own version.



~James



(Robin) wrote:
Doh - 


I figured it out (for those who were interested). The permissions on 
/etc/php.ini was set to 600 (owner == root). Changing this it other read, fixes 
the issue.

Any idea why Suse would do this?

Thanks
-robin


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] safe mode question

2006-01-08 Thread Robin
Doh - 

I figured it out (for those who were interested). The permissions on 
/etc/php.ini was set to 600 (owner == root). Changing this it other read, fixes 
the issue.

Any idea why Suse would do this?

Thanks
-robin

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Safe mode subdirectory workaround patch

2005-07-29 Thread John Nichel

Bostjan Skufca wrote:

Hi everyone,

I created a patch which enables subdirectories to be created and used even if 
PHP is running with safe mode enabled (common problem on shared hosts where 
Apache/PHP runs as user 'nobody' or 'www').

Patch can be found here:
http://www.lenivec.com/php/patches/

Comments are welcome!


Not to dismiss the work you've put into this, but how does a user in a 
shared hosting enviroment apply this patch and re-compile php?


--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] safe mode

2005-07-29 Thread Kim Madsen
> -Original Message-
> From: Bostjan Skufca @ domenca.com [mailto:[EMAIL PROTECTED]
> Sent: Thursday, July 28, 2005 1:38 PM

> > > I would *never* host anything on a server with safe_mode on!
> 
> What are your reasons for this decision?

I correted it in a mail 5 minutes after.

With safe_mode off this is possible

System("cat /home/Bostjan/include/db_setup.inc");

>From any php script and any user. 

One should be protected by safe_mode_gid and safe_mode_include_dir, but I´ve 
seen several examples of hosting setups that allows complete access to another 
users directory. With safe_mode on I´M more safe and so are my customers ;-)

--
Med venlig hilsen / best regards
ComX Networks A/S
Kim Madsen
Systemudvikler/Systemdeveloper

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] safe mode

2005-07-28 Thread Bostjan Skufca @ domenca.com
> > -Original Message-
> > From: Kim Madsen [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, July 28, 2005 12:01 PM
> >
> > I would *never* host anything on a server with safe_mode on!

What are your reasons for this decision?


regards,
Bostjan

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] safe mode

2005-07-28 Thread Ryan A
Hey Kim,
 
> I would *never* host anything on a server with safe_mode on!

Just 1 day late :-( just bought hosting for a year with b-one.se :-(
Whats the main reasons you would never host with safe mode on?

and whats this:

s/safe_mode on/safe_mode off/

??

Thanks,
Ryan 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] safe mode

2005-07-28 Thread Kim Madsen
Ahem!

> -Original Message-
> From: Kim Madsen [mailto:[EMAIL PROTECTED]
> Sent: Thursday, July 28, 2005 12:01 PM

> I would *never* host anything on a server with safe_mode on!

s/safe_mode on/safe_mode off/

/Kim

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] safe mode

2005-07-28 Thread Kim Madsen

> -Original Message-
> From: Ryan A [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, July 26, 2005 6:29 PM

> I presently require hosting with a company that has their servers in
> Sweden,
> and I need a shared hosting account,
> any recommendations are welcome, the server is for a client.
> 
> I have found quire a few via google but I noticed most of them are
with
> Safemode ON and Register_globals ON
> which I find to be quite strange because I have always hosted on a
> "regular"
> server with safe mode off, register_
> globals does not really metter, as if it was off I didnt do anything
but
> if it was on I used a htaccess file to put the b**ch off :-)
> 
> I have done a little reading on Safe Mode, but I'm looking for _your_
> experiences with safe mode and the problems
> you have faced or/and any warnings for me. Will continue to read and
> search via google while i wait for your answer/s.

I would *never* host anything on a server with safe_mode on!

System("cat /home/USER/include/db_setup.inc");

--
Med venlig hilsen / best regards
ComX Networks A/S
Kim Madsen
Systemudvikler/Systemdeveloper

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] SAFE MODE Restriction - mkdir()

2004-11-25 Thread SED
 
This answer from Mike solved this (e.g. create a CGI process for this task):

[...]
So, yes, you can create a directory which it is then impossible to access --
this is an unfortunate side-effect of safe mode when PHP runs as an Apache
module and hence as the Apache user.  This is why hosted services often use
chrooted jails with PHP as a CGI -- the individual copies of PHP then run
with the appropriate uids of the host usernames.
[...]


Regards,
Summi

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] SAFE MODE Restriction - mkdir()

2004-11-25 Thread Marek Kilimajer
SED wrote:
It just seems not making sence. I have read the manual and it does not
explain this specially.
If the user owns this folder: "www\myfolders"
And runs a PHP-script in safe mode that creates the folder
"www\myfolders\who".
Who owns the "who" folder?
If the webserver is run under user nobody, then "who" folder is owned by 
user nobody. Only root can change owners so there's no way around it.

I assume the owner. If so, why can't the PHP-script create another folder
inside like "www\myfolders\who\this" like before?
Webserver running under user nobody reads in your script owned by you. 
PHP has safe mode on, so everytime it creates a file or directory it 
checks if the owner of the parent directory is the same as the owner of 
the php script being executed. If it's not, it issues an "SAFE MODE 
Restriction in effect" error.


If "the user of the php process" (UID) is the owner of the new folder, why
can't it create a folder inside its own folder? Is it because it's triggered
by a user different from the user of the PHP process?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


RE: [PHP] SAFE MODE Restriction - mkdir()

2004-11-25 Thread Ford, Mike
To view the terms under which this email is distributed, please go to 
http://disclaimer.leedsmet.ac.uk/email.htm



On 25 November 2004 00:47, SED wrote:

> Then, shouldn't the owner be able to handle the new directory?
> 
> In my case, the owner creates the directory X but can't create a
> subdirectory inside the directory X! nor save a file into it!
> 
> Can you explain that?
> 
> Is the PHP not always running as the same user? Or is it base
> on type of the
> function?

It works like this:

(1) Script (owned by you) attempts to access original directory (owned by
you, presumably) -- ok.

(2) Script (owned by you, but running as Apache user) creates new
subdirectory (set to be owned by user *running* the script, i.e. Apache
user).

(3) Script (owned by you) attempts to access new subdirectory (owned by
Apache user) -- denied.

So, yes, you can create a directory which it is then impossible to access --
this is an unfortunate side-effect of safe mode when PHP runs as an Apache
module and hence as the Apache user.  This is why hosted services often use
chrooted jails with PHP as a CGI -- the individual copies of PHP then run
with the appropriate uids of the host usernames.

Cheers!

Mike

-
Mike Ford,  Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Headingley Campus, LEEDS,  LS6 3QS,  United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730  Fax:  +44 113 283 3211 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] SAFE MODE Restriction - mkdir()

2004-11-24 Thread Michael Leung
Hi,
   I have faced the same problem after the upgrade my server from php
4.2.2 to php 5.0.2. I tested mkdir() in both in safe_mode on and off.
I have posted this to php-bug.

yours,
Michael

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] SAFE MODE Restriction - mkdir()

2004-11-24 Thread SED
The PHP Version is 4.2.3 on Apache/1.3.27.

I'm not the admin on this server. However, I have done this often on other
servers, both in safe mode and not, with good success. This is the first
time I try this on this server. The ISP-admin is also trying to solve this
but with not luck at this time. 

Regards,
Summi

-Original Message-
From: Michael Leung [mailto:[EMAIL PROTECTED] 
Sent: 25. nóvember 2004 03:21
To: SED
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] SAFE MODE Restriction - mkdir()

Hi sed,
   which version of PHP you using? may not be just Safe Mode. is it the
script working well before the safe mode is on?

yours,
Michael

--
PHP General Mailing List (http://www.php.net/) To unsubscribe, visit:
http://www.php.net/unsub.php

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] SAFE MODE Restriction - mkdir()

2004-11-24 Thread Michael Leung
Hi sed,
   which version of PHP you using? may not be just Safe Mode. is it
the script working well before the safe mode is on?

yours,
Michael

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] SAFE MODE Restriction - mkdir()

2004-11-24 Thread SED
It just seems not making sence. I have read the manual and it does not
explain this specially.

If the user owns this folder: "www\myfolders"

And runs a PHP-script in safe mode that creates the folder
"www\myfolders\who".

Who owns the "who" folder?

I assume the owner. If so, why can't the PHP-script create another folder
inside like "www\myfolders\who\this" like before?

If "the user of the php process" (UID) is the owner of the new folder, why
can't it create a folder inside its own folder? Is it because it's triggered
by a user different from the user of the PHP process?

Regards,
Summi

-Original Message-
From: Marek Kilimajer [mailto:[EMAIL PROTECTED] 
Sent: 25. nóvember 2004 01:13
To: SED
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] SAFE MODE Restriction - mkdir()

SED wrote:
> Then, shouldn't the owner be able to handle the new directory?
> 
> In my case, the owner creates the directory X but can't create a 
> subdirectory inside the directory X! nor save a file into it!
> 
> Can you explain that?
> 
> Is the PHP not always running as the same user? Or is it base on type 
> of the function?

Once again: the user of the php process is different from the owner of the
php script. And this is what matters.

The limitation is not at operating system level, but php willingly chooses
not to let you create the subdirectory (because safe mode is on)

> 
> Regards,
> Summi
>   
> 
> -Original Message-
> From: Marek Kilimajer [mailto:[EMAIL PROTECTED]
> Sent: 25. nóvember 2004 00:05
> To: SED
> Cc: [EMAIL PROTECTED]
> Subject: Re: [PHP] SAFE MODE Restriction - mkdir()
> 
> SED wrote:
> 
>>Hi,
>>
>>I have very wierd situation. The ISP is running in SAFE MODE.
>>
>>I use PHP to create a directory with mkdir("something", 0777), it 
>>works great!
>>
>>However, if I try to create a sub-directory (e.g. "something2") in the 
>>"something" directory, I get the following:
>>
>>Warning: SAFE MODE Restriction in effect. The script whose uid is 3703 
>>is not allowed to access "something" owned by uid 508 in 
>>/www/login/filer.php on line 287
>>
>>However, if I check the chmod of "something" directory it's 777.
>>
>>Why can't I use PHP-uid to do create or upload files to this "something"
>>directory, which PHP-uid itself created?
> 
> 
> Because SAFE MODE is on :-)
> 
> It's all in the manual. something is created by the server process so 
> it's also owned by server process. The script is owned by you and can 
> access only directories and files owned by you. You can try to change 
> the group
> (chgrp()) if safe_mode_gid is on, or use ftp functions to create the 
> directories.
> 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] SAFE MODE Restriction - mkdir()

2004-11-24 Thread Marek Kilimajer
SED wrote:
Then, shouldn't the owner be able to handle the new directory?
In my case, the owner creates the directory X but can't create a
subdirectory inside the directory X! nor save a file into it!
Can you explain that?
Is the PHP not always running as the same user? Or is it base on type of the
function?
Once again: the user of the php process is different from the owner of 
the php script. And this is what matters.

The limitation is not at operating system level, but php willingly 
chooses not to let you create the subdirectory (because safe mode is on)

Regards,
Summi

-Original Message-
From: Marek Kilimajer [mailto:[EMAIL PROTECTED] 
Sent: 25. nóvember 2004 00:05
To: SED
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] SAFE MODE Restriction - mkdir()

SED wrote:
Hi,
I have very wierd situation. The ISP is running in SAFE MODE.
I use PHP to create a directory with mkdir("something", 0777), it 
works great!

However, if I try to create a sub-directory (e.g. "something2") in the 
"something" directory, I get the following:

Warning: SAFE MODE Restriction in effect. The script whose uid is 3703 
is not allowed to access "something" owned by uid 508 in 
/www/login/filer.php on line 287

However, if I check the chmod of "something" directory it's 777.
Why can't I use PHP-uid to do create or upload files to this "something"
directory, which PHP-uid itself created?

Because SAFE MODE is on :-)
It's all in the manual. something is created by the server process so it's
also owned by server process. The script is owned by you and can access only
directories and files owned by you. You can try to change the group
(chgrp()) if safe_mode_gid is on, or use ftp functions to create the
directories.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


RE: [PHP] SAFE MODE Restriction - mkdir()

2004-11-24 Thread SED
Then, shouldn't the owner be able to handle the new directory?

In my case, the owner creates the directory X but can't create a
subdirectory inside the directory X! nor save a file into it!

Can you explain that?

Is the PHP not always running as the same user? Or is it base on type of the
function?

Regards,
Summi


-Original Message-
From: Marek Kilimajer [mailto:[EMAIL PROTECTED] 
Sent: 25. nóvember 2004 00:05
To: SED
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] SAFE MODE Restriction - mkdir()

SED wrote:
> Hi,
> 
> I have very wierd situation. The ISP is running in SAFE MODE.
> 
> I use PHP to create a directory with mkdir("something", 0777), it 
> works great!
> 
> However, if I try to create a sub-directory (e.g. "something2") in the 
> "something" directory, I get the following:
> 
> Warning: SAFE MODE Restriction in effect. The script whose uid is 3703 
> is not allowed to access "something" owned by uid 508 in 
> /www/login/filer.php on line 287
> 
> However, if I check the chmod of "something" directory it's 777.
> 
> Why can't I use PHP-uid to do create or upload files to this "something"
> directory, which PHP-uid itself created?

Because SAFE MODE is on :-)

It's all in the manual. something is created by the server process so it's
also owned by server process. The script is owned by you and can access only
directories and files owned by you. You can try to change the group
(chgrp()) if safe_mode_gid is on, or use ftp functions to create the
directories.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] SAFE MODE Restriction - mkdir()

2004-11-24 Thread Marek Kilimajer
SED wrote:
Hi,
I have very wierd situation. The ISP is running in SAFE MODE.
I use PHP to create a directory with mkdir("something", 0777), it works
great!
However, if I try to create a sub-directory (e.g. "something2") in the
"something" directory, I get the following:
Warning: SAFE MODE Restriction in effect. The script whose uid is 3703 is
not allowed to access "something" owned by uid 508 in /www/login/filer.php
on line 287
However, if I check the chmod of "something" directory it's 777.
Why can't I use PHP-uid to do create or upload files to this "something"
directory, which PHP-uid itself created?
Because SAFE MODE is on :-)
It's all in the manual. something is created by the server process so 
it's also owned by server process. The script is owned by you and can 
access only directories and files owned by you. You can try to change 
the group (chgrp()) if safe_mode_gid is on, or use ftp functions to 
create the directories.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] Safe mode & imagecreatefromjpeg

2004-10-13 Thread Marek Kilimajer
Paulo JF Silva wrote:
Hi,
I have PHP 4.3.5 and safe mode on. When I create a new image with 
imagecreatefromjpeg(), the image owner is 'httpd' and not my ftp user. 
[this is in a shared host].

I would like to know if there is any way to create the image with my 
user... I can workaround mkdir & stuff with ftp access but i can't 
figure out a workaround this 'problem' caused by safe mode.
It's a little tricky. You need to catch imagecreatefromjpeg() output 
using output buffering, then open a temporary file, write the output 
there, rewind(), and ftp_fput(). Haven't tried it, but should work.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] Safe mode & imagecreatefromjpeg

2004-10-08 Thread Curt Zirzow
* Thus wrote Paulo JF Silva:
> Hi,
> 
> I have PHP 4.3.5 and safe mode on. When I create a new image with 
> imagecreatefromjpeg(), the image owner is 'httpd' and not my ftp user. 
> [this is in a shared host].
> 
> I would like to know if there is any way to create the image with my 
> user... I can workaround mkdir & stuff with ftp access but i can't 
> figure out a workaround this 'problem' caused by safe mode.

You'll have to request to the hosting company to make it possible
that your ftp user can have 'rwx' permissions  to the files that
the webserver creates.

The security implications will have to be up to them.


Curt
-- 
The above comments may offend you. flame at will.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] safe mode?

2004-09-29 Thread Marek Kilimajer
blackwater dev wrote:
so do this each time?
I need a routine that will dynamically create a folder, then use that
folder to upload images.  This problem doesn't exists just on one
directory but on all directories dynamically created.
I mean PHP ftp functions. http://www.php.net/ftp
Thanks!
On Wed, 29 Sep 2004 21:48:05 +0200, Marek Kilimajer <[EMAIL PROTECTED]> wrote:
blackwater dev wrote:
Hello all...
I finally have an upload script partly working but am not running into
this problem.
I have this code which executes when the user visits the image upload page:

if (!file_exists("../images/property_$id")){
mkdir("../images/property_$id", 0700);}
$upload_dir = "../images/property_$id";

When the user executes the script, it returns and runs this code:

if($_FILES['file']['name'][$i])
 {
 $file_to_upload = $upload_dir."/".$_FILES['file']['name'][$i];
 $thisName=$_FILES['file']['name'][$i];
 move_uploaded_file($_FILES['file']['tmp_name'][$i],$file_to_upload); }

And I get these errors::
Warning: move_uploaded_file(): SAFE MODE Restriction in effect. The
script whose uid is 1044 is not allowed to access
/images/property_128873 owned by uid 1002 in /imageupload.inc.php on
line 39
then a bunch of other related errors.  I have tried to using 0777
also.  How can I get around SAFE MODE as I can't easily change the ini
file as it is on my hosts server.
Thanks!
Use ftp function to create the upload directory. Login as userid 1044,
create the directory, change it's permission, and you are done
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] safe mode?

2004-09-29 Thread blackwater dev
so do this each time?

I need a routine that will dynamically create a folder, then use that
folder to upload images.  This problem doesn't exists just on one
directory but on all directories dynamically created.

Thanks!


On Wed, 29 Sep 2004 21:48:05 +0200, Marek Kilimajer <[EMAIL PROTECTED]> wrote:
> 
> 
> blackwater dev wrote:
> > Hello all...
> >
> > I finally have an upload script partly working but am not running into
> > this problem.
> >
> > I have this code which executes when the user visits the image upload page:
> >
> > 
> >  if (!file_exists("../images/property_$id")){
> >  mkdir("../images/property_$id", 0700);}
> >
> >  $upload_dir = "../images/property_$id";
> > 
> >
> > When the user executes the script, it returns and runs this code:
> >
> > 
> > if($_FILES['file']['name'][$i])
> >   {
> >   $file_to_upload = $upload_dir."/".$_FILES['file']['name'][$i];
> >   $thisName=$_FILES['file']['name'][$i];
> >   move_uploaded_file($_FILES['file']['tmp_name'][$i],$file_to_upload); }
> > 
> >
> > And I get these errors::
> >
> > Warning: move_uploaded_file(): SAFE MODE Restriction in effect. The
> > script whose uid is 1044 is not allowed to access
> > /images/property_128873 owned by uid 1002 in /imageupload.inc.php on
> > line 39
> >
> > then a bunch of other related errors.  I have tried to using 0777
> > also.  How can I get around SAFE MODE as I can't easily change the ini
> > file as it is on my hosts server.
> >
> > Thanks!
> >
> 
> Use ftp function to create the upload directory. Login as userid 1044,
> create the directory, change it's permission, and you are done
> 
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] safe mode?

2004-09-29 Thread Marek Kilimajer
blackwater dev wrote:
Hello all...
I finally have an upload script partly working but am not running into
this problem.
I have this code which executes when the user visits the image upload page:

 if (!file_exists("../images/property_$id")){
 mkdir("../images/property_$id", 0700);}
 $upload_dir = "../images/property_$id";

When the user executes the script, it returns and runs this code:

if($_FILES['file']['name'][$i])
  {
  $file_to_upload = $upload_dir."/".$_FILES['file']['name'][$i];
  $thisName=$_FILES['file']['name'][$i];
  move_uploaded_file($_FILES['file']['tmp_name'][$i],$file_to_upload); }

And I get these errors::
Warning: move_uploaded_file(): SAFE MODE Restriction in effect. The
script whose uid is 1044 is not allowed to access
/images/property_128873 owned by uid 1002 in /imageupload.inc.php on
line 39
then a bunch of other related errors.  I have tried to using 0777
also.  How can I get around SAFE MODE as I can't easily change the ini
file as it is on my hosts server.
Thanks!
Use ftp function to create the upload directory. Login as userid 1044, 
create the directory, change it's permission, and you are done

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] safe mode/open basedir not working ?

2004-07-02 Thread robert mena
Ok. It did not worked.  I had to create an empy dir.

Well, one problem.

Since I have users with ftp access and they host php scripts that
handle "file uploads".  The files are created with apache.apache and
are usually moved to the user's directory using move_uploaded_file.

Since the owner/gorup of the script would be foo.ftponly this would
fail due to uid differences.

How do I solve this ?  Change the user's group from ftponly to apache
and use the safe_mode_gid on ?

- rt

On Fri, 2 Jul 2004 11:28:39 -0700, Justin Patrin <[EMAIL PROTECTED]> wrote:
> 
> That *may* not work as it's a file, not a folder. You're welcome to
> try, though. :-)
> 
> On Fri, 2 Jul 2004 14:19:25 -0400, robert mena <[EMAIL PROTECTED]> wrote:
> >
> > Ok. How about set the safe_mode_exec_dir to /dev/null then ?
> >
>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] safe mode/open basedir not working ?

2004-07-02 Thread Justin Patrin
That *may* not work as it's a file, not a folder. You're welcome to
try, though. :-)

On Fri, 2 Jul 2004 14:19:25 -0400, robert mena <[EMAIL PROTECTED]> wrote:
> 
> Ok. How about set the safe_mode_exec_dir to /dev/null then ?
> 
> 
> On Wed, 30 Jun 2004 21:55:17 -0700, Justin Patrin <[EMAIL PROTECTED]> wrote:
> >
> > YES. You need to set the safe_mode_exec_dir path to be some path
> > without binaries. Such as: /etc, although that's a bad example. Make a
> > directory with only root write access and point that config option to
> > it.
> >
> >
> > On Wed, 30 Jun 2004 22:31:27 -0400, robert mena <[EMAIL PROTECTED]> wrote:
> > >
> > > Marek, Justin,
> > >
> > > am I doing something wrong with the setup because I saw the logs and a
> > > redeye.php was used to system("perl -") and was not supposed to.
> > >
> > >
> > > On Thu, 01 Jul 2004 00:32:07 +0200, Marek Kilimajer <[EMAIL PROTECTED]> wrote:
> > > >
> > > > Justin Patrin wrote --- napísal::
> > > > > On Wed, 30 Jun 2004 23:50:02 +0200, Marek Kilimajer <[EMAIL PROTECTED]> 
> > > > > wrote:
> > > > >
> > > > >>robert mena wrote --- napísal::
> > > > >>
> > > > >>>Hi,
> > > > >>>
> > > > >>>I host a few virtual domains in apache 2 and use php.
> > > > >>>
> > > > >>>The virtual domain is something like
> > > > >>>
> > > > >>>
> > > > >>>ServerAdmin [EMAIL PROTECTED]
> > > > >>>DocumentRoot /home/httpd/html/domain.com
> > > > >>>ServerName www.domain.com
> > > > >>>ErrorLog   logs/domain.com-error_log
> > > > >>>CustomLog  logs/domain.com-access_log combined
> > > > >>>ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/
> > > > >>>
> > > > >>>AllowOverride AuthConfig Limit
> > > > >>>php_admin_value doc_root "/home/httpd/html/domain.com/"
> > > > >>>php_admin_flag safe_mode on
> > > > >>>php_admin_value open_basedir 
> > > > >>> "/home/httpd/html/domain.com:/tmp/"
> > > > >>>
> > > > >>>
> > > > >>>
> > > > >>>Recently I had a minor problem with a user that uploaded via ftp a php
> > > > >>>script in his domain and this domain used exec/system etc to call
> > > > >>>perl, read files.
> > > > >>>
> > > > >>>Shouldn't the settings above retrict such thing ?
> > > > >>>
> > > > >>
> > > > >>no, this setting affects only php, not programs executed from php
> > > > >
> > > > >
> > > > > If you have safe mode on, you can set various things to stop this. One
> > > > > is safe_mode_exec_dir.
> > > >
> > > > Actualy you have to if you want to use any of the exec functions:
> > > >
> > > >
> > >
> > >
> > >
> > >
> > >
> > 
> > --
> > paperCrane --Justin Patrin--
> >
> 
> !DSPAM:40e5a54342181346017871!
> 
> 


-- 
DB_DataObject_FormBuilder - The database at your fingertips
http://pear.php.net/package/DB_DataObject_FormBuilder

paperCrane --Justin Patrin--

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] safe mode/open basedir not working ?

2004-07-02 Thread robert mena
Ok. How about set the safe_mode_exec_dir to /dev/null then ?

On Wed, 30 Jun 2004 21:55:17 -0700, Justin Patrin <[EMAIL PROTECTED]> wrote:
> 
> YES. You need to set the safe_mode_exec_dir path to be some path
> without binaries. Such as: /etc, although that's a bad example. Make a
> directory with only root write access and point that config option to
> it.
> 
> 
> On Wed, 30 Jun 2004 22:31:27 -0400, robert mena <[EMAIL PROTECTED]> wrote:
> >
> > Marek, Justin,
> >
> > am I doing something wrong with the setup because I saw the logs and a
> > redeye.php was used to system("perl -") and was not supposed to.
> >
> >
> > On Thu, 01 Jul 2004 00:32:07 +0200, Marek Kilimajer <[EMAIL PROTECTED]> wrote:
> > >
> > > Justin Patrin wrote --- napísal::
> > > > On Wed, 30 Jun 2004 23:50:02 +0200, Marek Kilimajer <[EMAIL PROTECTED]> wrote:
> > > >
> > > >>robert mena wrote --- napísal::
> > > >>
> > > >>>Hi,
> > > >>>
> > > >>>I host a few virtual domains in apache 2 and use php.
> > > >>>
> > > >>>The virtual domain is something like
> > > >>>
> > > >>>
> > > >>>ServerAdmin [EMAIL PROTECTED]
> > > >>>DocumentRoot /home/httpd/html/domain.com
> > > >>>ServerName www.domain.com
> > > >>>ErrorLog   logs/domain.com-error_log
> > > >>>CustomLog  logs/domain.com-access_log combined
> > > >>>ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/
> > > >>>
> > > >>>AllowOverride AuthConfig Limit
> > > >>>php_admin_value doc_root "/home/httpd/html/domain.com/"
> > > >>>php_admin_flag safe_mode on
> > > >>>php_admin_value open_basedir 
> > > >>> "/home/httpd/html/domain.com:/tmp/"
> > > >>>
> > > >>>
> > > >>>
> > > >>>Recently I had a minor problem with a user that uploaded via ftp a php
> > > >>>script in his domain and this domain used exec/system etc to call
> > > >>>perl, read files.
> > > >>>
> > > >>>Shouldn't the settings above retrict such thing ?
> > > >>>
> > > >>
> > > >>no, this setting affects only php, not programs executed from php
> > > >
> > > >
> > > > If you have safe mode on, you can set various things to stop this. One
> > > > is safe_mode_exec_dir.
> > >
> > > Actualy you have to if you want to use any of the exec functions:
> > >
> > >
> >
> > 
> > !DSPAM:40e37582309468563245817!
> >
> >
> 
> --
> paperCrane --Justin Patrin--
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] safe mode/open basedir not working ?

2004-06-30 Thread Justin Patrin
YES. You need to set the safe_mode_exec_dir path to be some path
without binaries. Such as: /etc, although that's a bad example. Make a
directory with only root write access and point that config option to
it.

On Wed, 30 Jun 2004 22:31:27 -0400, robert mena <[EMAIL PROTECTED]> wrote:
> 
> Marek, Justin,
> 
> am I doing something wrong with the setup because I saw the logs and a
> redeye.php was used to system("perl -") and was not supposed to.
> 
> 
> On Thu, 01 Jul 2004 00:32:07 +0200, Marek Kilimajer <[EMAIL PROTECTED]> wrote:
> >
> > Justin Patrin wrote --- napísal::
> > > On Wed, 30 Jun 2004 23:50:02 +0200, Marek Kilimajer <[EMAIL PROTECTED]> wrote:
> > >
> > >>robert mena wrote --- napísal::
> > >>
> > >>>Hi,
> > >>>
> > >>>I host a few virtual domains in apache 2 and use php.
> > >>>
> > >>>The virtual domain is something like
> > >>>
> > >>>
> > >>>ServerAdmin [EMAIL PROTECTED]
> > >>>DocumentRoot /home/httpd/html/domain.com
> > >>>ServerName www.domain.com
> > >>>ErrorLog   logs/domain.com-error_log
> > >>>CustomLog  logs/domain.com-access_log combined
> > >>>ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/
> > >>>
> > >>>AllowOverride AuthConfig Limit
> > >>>php_admin_value doc_root "/home/httpd/html/domain.com/"
> > >>>php_admin_flag safe_mode on
> > >>>php_admin_value open_basedir "/home/httpd/html/domain.com:/tmp/"
> > >>>
> > >>>
> > >>>
> > >>>Recently I had a minor problem with a user that uploaded via ftp a php
> > >>>script in his domain and this domain used exec/system etc to call
> > >>>perl, read files.
> > >>>
> > >>>Shouldn't the settings above retrict such thing ?
> > >>>
> > >>
> > >>no, this setting affects only php, not programs executed from php
> > >
> > >
> > > If you have safe mode on, you can set various things to stop this. One
> > > is safe_mode_exec_dir.
> >
> > Actualy you have to if you want to use any of the exec functions:
> >
> >
> 
> 
> !DSPAM:40e37582309468563245817!
> 
> 


-- 
paperCrane --Justin Patrin--

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] safe mode/open basedir not working ?

2004-06-30 Thread robert mena
Marek, Justin,

am I doing something wrong with the setup because I saw the logs and a
redeye.php was used to system("perl -") and was not supposed to.

On Thu, 01 Jul 2004 00:32:07 +0200, Marek Kilimajer <[EMAIL PROTECTED]> wrote:
> 
> Justin Patrin wrote --- napísal::
> > On Wed, 30 Jun 2004 23:50:02 +0200, Marek Kilimajer <[EMAIL PROTECTED]> wrote:
> >
> >>robert mena wrote --- napísal::
> >>
> >>>Hi,
> >>>
> >>>I host a few virtual domains in apache 2 and use php.
> >>>
> >>>The virtual domain is something like
> >>>
> >>>
> >>>ServerAdmin [EMAIL PROTECTED]
> >>>DocumentRoot /home/httpd/html/domain.com
> >>>ServerName www.domain.com
> >>>ErrorLog   logs/domain.com-error_log
> >>>CustomLog  logs/domain.com-access_log combined
> >>>ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/
> >>>
> >>>AllowOverride AuthConfig Limit
> >>>php_admin_value doc_root "/home/httpd/html/domain.com/"
> >>>php_admin_flag safe_mode on
> >>>php_admin_value open_basedir "/home/httpd/html/domain.com:/tmp/"
> >>>
> >>>
> >>>
> >>>Recently I had a minor problem with a user that uploaded via ftp a php
> >>>script in his domain and this domain used exec/system etc to call
> >>>perl, read files.
> >>>
> >>>Shouldn't the settings above retrict such thing ?
> >>>
> >>
> >>no, this setting affects only php, not programs executed from php
> >
> >
> > If you have safe mode on, you can set various things to stop this. One
> > is safe_mode_exec_dir.
> 
> Actualy you have to if you want to use any of the exec functions:
> 
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] safe mode/open basedir not working ?

2004-06-30 Thread Marek Kilimajer
Justin Patrin wrote --- napísal::
On Wed, 30 Jun 2004 23:50:02 +0200, Marek Kilimajer <[EMAIL PROTECTED]> wrote:
robert mena wrote --- napísal::
Hi,
I host a few virtual domains in apache 2 and use php.
The virtual domain is something like

   ServerAdmin [EMAIL PROTECTED]
   DocumentRoot /home/httpd/html/domain.com
   ServerName www.domain.com
   ErrorLog   logs/domain.com-error_log
   CustomLog  logs/domain.com-access_log combined
   ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/
   
   AllowOverride AuthConfig Limit
   php_admin_value doc_root "/home/httpd/html/domain.com/"
   php_admin_flag safe_mode on
   php_admin_value open_basedir "/home/httpd/html/domain.com:/tmp/"
   

Recently I had a minor problem with a user that uploaded via ftp a php
script in his domain and this domain used exec/system etc to call
perl, read files.
Shouldn't the settings above retrict such thing ?
no, this setting affects only php, not programs executed from php

If you have safe mode on, you can set various things to stop this. One
is safe_mode_exec_dir. 
Actualy you have to if you want to use any of the exec functions:
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] safe mode/open basedir not working ?

2004-06-30 Thread Marek Kilimajer
robert mena wrote --- napísal::
Marek,
but the program was executed using a system call from a php script.
- rt
And that's what I mean. Every fopen call (almost) in the php binary is 
wrapped around the safe mode checks. But once you leave the php binary, 
or even load a php module that does not use this wrapper, safe mode does 
not work anymore.

On Wed, 30 Jun 2004 23:50:02 +0200, Marek Kilimajer <[EMAIL PROTECTED]> wrote:
robert mena wrote --- napísal::

Hi,
I host a few virtual domains in apache 2 and use php.
The virtual domain is something like

   ServerAdmin [EMAIL PROTECTED]
   DocumentRoot /home/httpd/html/domain.com
   ServerName www.domain.com
   ErrorLog   logs/domain.com-error_log
   CustomLog  logs/domain.com-access_log combined
   ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/
   
   AllowOverride AuthConfig Limit
   php_admin_value doc_root "/home/httpd/html/domain.com/"
   php_admin_flag safe_mode on
   php_admin_value open_basedir "/home/httpd/html/domain.com:/tmp/"
   

Recently I had a minor problem with a user that uploaded via ftp a php
script in his domain and this domain used exec/system etc to call
perl, read files.
Shouldn't the settings above retrict such thing ?
no, this setting affects only php, not programs executed from php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] safe mode/open basedir not working ?

2004-06-30 Thread Red Wingate
Thats just what he said :p
Robert Mena wrote:
Marek,
but the program was executed using a system call from a php script.
- rt
On Wed, 30 Jun 2004 23:50:02 +0200, Marek Kilimajer <[EMAIL PROTECTED]> wrote:
robert mena wrote --- napísal::

Hi,
I host a few virtual domains in apache 2 and use php.
The virtual domain is something like

   ServerAdmin [EMAIL PROTECTED]
   DocumentRoot /home/httpd/html/domain.com
   ServerName www.domain.com
   ErrorLog   logs/domain.com-error_log
   CustomLog  logs/domain.com-access_log combined
   ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/
   
   AllowOverride AuthConfig Limit
   php_admin_value doc_root "/home/httpd/html/domain.com/"
   php_admin_flag safe_mode on
   php_admin_value open_basedir "/home/httpd/html/domain.com:/tmp/"
   

Recently I had a minor problem with a user that uploaded via ftp a php
script in his domain and this domain used exec/system etc to call
perl, read files.
Shouldn't the settings above retrict such thing ?
no, this setting affects only php, not programs executed from php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] safe mode/open basedir not working ?

2004-06-30 Thread Justin Patrin
On Wed, 30 Jun 2004 23:50:02 +0200, Marek Kilimajer <[EMAIL PROTECTED]> wrote:
> 
> robert mena wrote --- napísal::
> > Hi,
> >
> > I host a few virtual domains in apache 2 and use php.
> >
> > The virtual domain is something like
> >
> > 
> > ServerAdmin [EMAIL PROTECTED]
> > DocumentRoot /home/httpd/html/domain.com
> > ServerName www.domain.com
> > ErrorLog   logs/domain.com-error_log
> > CustomLog  logs/domain.com-access_log combined
> > ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/
> > 
> > AllowOverride AuthConfig Limit
> > php_admin_value doc_root "/home/httpd/html/domain.com/"
> > php_admin_flag safe_mode on
> > php_admin_value open_basedir "/home/httpd/html/domain.com:/tmp/"
> > 
> > 
> >
> > Recently I had a minor problem with a user that uploaded via ftp a php
> > script in his domain and this domain used exec/system etc to call
> > perl, read files.
> >
> > Shouldn't the settings above retrict such thing ?
> >
> 
> no, this setting affects only php, not programs executed from php

If you have safe mode on, you can set various things to stop this. One
is safe_mode_exec_dir. You can specify a directory with binaries the
users can run. Anything outside of that PHP won't run. Just set it to
a path with no binaries (and no write access fromusers) and they won't
be able to run outside programs unless you let them.

You can also put some funcitons in disable_functions, such as system()
and exec(), poper(), proc_open(), passthru(), and shell_exec().
Disabling shell_exec() also disables backticks (`) (I think).

-- 
paperCrane --Justin Patrin--

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] safe mode/open basedir not working ?

2004-06-30 Thread robert mena
Marek,

but the program was executed using a system call from a php script.

- rt

On Wed, 30 Jun 2004 23:50:02 +0200, Marek Kilimajer <[EMAIL PROTECTED]> wrote:
> 
> robert mena wrote --- napísal::
> 
> > Hi,
> >
> > I host a few virtual domains in apache 2 and use php.
> >
> > The virtual domain is something like
> >
> > 
> > ServerAdmin [EMAIL PROTECTED]
> > DocumentRoot /home/httpd/html/domain.com
> > ServerName www.domain.com
> > ErrorLog   logs/domain.com-error_log
> > CustomLog  logs/domain.com-access_log combined
> > ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/
> > 
> > AllowOverride AuthConfig Limit
> > php_admin_value doc_root "/home/httpd/html/domain.com/"
> > php_admin_flag safe_mode on
> > php_admin_value open_basedir "/home/httpd/html/domain.com:/tmp/"
> > 
> > 
> >
> > Recently I had a minor problem with a user that uploaded via ftp a php
> > script in his domain and this domain used exec/system etc to call
> > perl, read files.
> >
> > Shouldn't the settings above retrict such thing ?
> >
> 
> no, this setting affects only php, not programs executed from php
> 
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] safe mode/open basedir not working ?

2004-06-30 Thread Marek Kilimajer
robert mena wrote --- napísal::
Hi,
I host a few virtual domains in apache 2 and use php.
The virtual domain is something like

ServerAdmin [EMAIL PROTECTED]
DocumentRoot /home/httpd/html/domain.com
ServerName www.domain.com
ErrorLog   logs/domain.com-error_log
CustomLog  logs/domain.com-access_log combined
ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/

AllowOverride AuthConfig Limit
php_admin_value doc_root "/home/httpd/html/domain.com/"
php_admin_flag safe_mode on
php_admin_value open_basedir "/home/httpd/html/domain.com:/tmp/"


Recently I had a minor problem with a user that uploaded via ftp a php
script in his domain and this domain used exec/system etc to call
perl, read files.
Shouldn't the settings above retrict such thing ?
no, this setting affects only php, not programs executed from php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] Safe mode effect

2004-04-22 Thread Marek Kilimajer
Ravi kumar wrote:
HI,

goole.com found so many details about safe mode too much to understand.

My hosting provider set php safe mode = enable . so iam unable to use so

many scripts .

can any one give good free image gallery software which will work under

safe mode = enable .

is it true that with apache 2.x version , we can get ride of php safe mode ?

- thanks for your time
I don't know of any gallery that can run under safe mode (I did not 
look), but galleries that I made use ftp functions to upload the images 
under the same owner as the scripts. Then you can work with the images.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] Safe Mode

2004-02-22 Thread user

According the safe-mode page http://us4.php.net/features.safe-mode in
http.conf :

  php_admin_value open_basedir /docroot
# In  your case safe_mode_include_dir

Can "php_admin_value" be inlcuding in the *.php pages and/or .htaccess.


manual > ini_set()

It would seem form the ini_set() comments that the answer to both is yet:

-
There is another possibility by changing PHP Settings!
If your Webspace is able to handle ".htaccess" files, you're able to 
change PHP_INI Settings through this file!

To disable register_globals you have to set:
php_value register_globals 0
If you wanna set other settings, feel free, because there is no problem!

These Settings are set before running the script, e.g. the results of 
register_globals, when setting a parameter in the URL like 
'foo.php?foo=stuff', is not present, $foo is unset.


If it´s not your server and therefore you want to hide the data in your 
session variables from other users, it´s very useful to set the 
session.save_handler in your scripts to shared memory with:

"ini_set('session.save_handler','mm')".

Remember: You have to set it in every script that uses the session 
variables BEFORE "session_start()" or php won´t find them.

David

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] Safe Mode

2004-02-22 Thread Jason Wong
On Monday 23 February 2004 00:55, [EMAIL PROTECTED] wrote:
> >>> Can safe mode be turned off in the .htaccess file?

[snip]

> According the safe-mode page http://us4.php.net/features.safe-mode in
> http.conf :
> 
>php_admin_value open_basedir /docroot
> # In  your case safe_mode_include_dir
> 
>
> Can "php_admin_value" be inlcuding in the *.php pages and/or .htaccess.

manual > ini_set()

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
--
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
--
/*
What an artist dies with me!
-- Nero
*/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] Safe Mode

2004-02-22 Thread user

Can safe mode be turned off in the .htaccess file?


I don't know the gallery script but setting safe_mode_include_dir should 
help. Ask the admin to set it to your directory for your virtual host. 
Another option would be to use ftp functions to upload the images to 
your directory, but you would have to rewrite the script.
According the safe-mode page http://us4.php.net/features.safe-mode in 
http.conf :

  php_admin_value open_basedir /docroot
# In  your case safe_mode_include_dir


Can "php_admin_value" be inlcuding in the *.php pages and/or .htaccess.

David

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] Safe Mode

2004-02-21 Thread Marek Kilimajer
Lucas Gonze wrote:
On Saturday, Feb 21, 2004, at 20:17 America/New_York, 
[EMAIL PROTECTED] wrote:

Lucas Gonze wrote:

On Saturday, Feb 21, 2004, at 09:18 America/New_York, 
[EMAIL PROTECTED] wrote:

Is it possible to set Apache in such a way that everyting is run 
under safe-mode, except for a directory and everything underneath in 
a virtual domain?
Very likely yes, if your admin permits it.  The place to look for an 
answer is in documentation for httpd.conf.
Good luck.
- Lucas
Can safe mode be turned off in the .htaccess file?


My guess is no.  That is a decision which should belong to the server 
admin.

Definately no. It would not be safe mode if anyone can turn it off.

I don't know the gallery script but setting safe_mode_include_dir should 
help. Ask the admin to set it to your directory for your virtual host. 
Another option would be to use ftp functions to upload the images to 
your directory, but you would have to rewrite the script.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] Safe Mode

2004-02-21 Thread Lucas Gonze
On Saturday, Feb 21, 2004, at 20:17 America/New_York, 
[EMAIL PROTECTED] wrote:

Lucas Gonze wrote:
On Saturday, Feb 21, 2004, at 09:18 America/New_York, 
[EMAIL PROTECTED] wrote:
Is it possible to set Apache in such a way that everyting is run 
under safe-mode, except for a directory and everything underneath in 
a virtual domain?
Very likely yes, if your admin permits it.  The place to look for an 
answer is in documentation for httpd.conf.
Good luck.
- Lucas
Can safe mode be turned off in the .htaccess file?
My guess is no.  That is a decision which should belong to the server 
admin.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] Safe Mode

2004-02-21 Thread user
Lucas Gonze wrote:
On Saturday, Feb 21, 2004, at 09:18 America/New_York, 
[EMAIL PROTECTED] wrote:

Is it possible to set Apache in such a way that everyting is run under 
safe-mode, except for a directory and everything underneath in a 
virtual domain?


Very likely yes, if your admin permits it.  The place to look for an 
answer is in documentation for httpd.conf.

Good luck.

- Lucas
Can safe mode be turned off in the .htaccess file?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] Safe Mode

2004-02-21 Thread Lucas Gonze
On Saturday, Feb 21, 2004, at 09:18 America/New_York, 
[EMAIL PROTECTED] wrote:
Is it possible to set Apache in such a way that everyting is run under 
safe-mode, except for a directory and everything underneath in a 
virtual domain?
Very likely yes, if your admin permits it.  The place to look for an 
answer is in documentation for httpd.conf.

Good luck.

- Lucas

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] safe mode and mail

2003-06-20 Thread David Nicholson
Hello,


This is a reply to an e-mail that you wrote on Fri, 20 Jun 2003 at 01:40,
lines prefixed by '>' were originally written by you.
> Hi,
> safe mode on and mass mailing wished. I know that it's not possible to
> set
> the time limit, when safe mode is on. Sure mass mailing using mail
> function
> takes longer than default execution time of the script. My codes
> should be
> portable, that why modification of php.ini is not an option. The users
> shouldn't be experinced and authorized to do this. In brief, I have to
> find
> a solution without a need to work in shell.
> So, due to my theoratical knowledge it seems to be a solution, to
> queue the
> mails to sendmail by using popen. Is it true? Or what could be your
> suggestion for this issue.
> Thanks in advance,
> Senih

You could only send a certain amount of e-mails on each execution and use
a meta-refresh to continually call the script. I do this on one site and
also display a progress bar that updates on each refresh which is a bit
better for the end user rather than have them staring at nothing until
eventually all the mails have sent.

All the best,

David.

--
phpmachine :: The quick and easy to use service providing you with
professionally developed PHP scripts :: http://www.phpmachine.com/

  Professional Web Development by David Nicholson
http://www.djnicholson.com/

QuizSender.com - How well do your friends actually know you?
 http://www.quizsender.com/
(developed entirely in PHP)

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



RE: [PHP] SAFE MODE Restriction in effect

2003-06-09 Thread Ben Edwards
Changed it to dir but not made any difference.  I have root access to the 
server so could change php.ini.

However

; Safe Mode
;
safe_mode = Off
; By default, Safe Mode does a UID compare check when
; opening files. If you want to relax this to a GID compare,
; then turn on safe_mode_gid.
safe_mode_gid = Off
So not quite sure why there is a phoblem

Ben

At 16:23 09/06/2003 +0200, winst0n wrote:

Ok, I think the php comand opendir is blocked for security reason.

Try with this :

$dp = dir($currdir );

dir() and opendir() are the same for client.

A lot of hostserver disable opendir(), I dont know why, but they do ;)

* Ben Edwards   Tel +44 (0)1179 553 551  ICQ 42000477  *
* Webhosting for the masses http://serverone.co.uk *
* Critical Site Builderhttp://www.criticaldistribution.com *
* online collaborative web authoring content management system *
* Get alt news/views films online   http://www.cultureshop.org *
* i-Contact Progressive Video  http://www.videonetwork.org *
* Fun corporate graphics http://www.subvertise.org *
* Bristol Indymedia   http://bristol.indymedia.org *
* Bristol's radical news http://www.bristle.org.uk *

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] SAFE MODE Restriction in effect

2003-06-09 Thread Ben Edwards
$dp  = opendir( $currdir );

Basically it seems like I need to turn 'SAFE MODE' off but I dont really 
know what it it or how to turn it off.

In fact I am not sure where the config file is on a *nix box or what is it 
called.

Ben

At 15:58 09/06/2003 +0200, winst0n wrote:

what does the line 219 in misc.inc ?!

* Ben Edwards   Tel +44 (0)1179 553 551  ICQ 42000477  *
* Webhosting for the masses http://serverone.co.uk *
* Critical Site Builderhttp://www.criticaldistribution.com *
* online collaborative web authoring content management system *
* Get alt news/views films online   http://www.cultureshop.org *
* i-Contact Progressive Video  http://www.videonetwork.org *
* Fun corporate graphics http://www.subvertise.org *
* Bristol Indymedia   http://bristol.indymedia.org *
* Bristol's radical news http://www.bristle.org.uk *

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] safe mode problem

2003-02-04 Thread Marek Kilimajer
I recomend you use ftp functions to upload the script to your site (from 
the generating file). If you only use normal filesystem function, the 
newly created file will get the owner of the http server.

gurvinder singh wrote:

and how can i be root from a php script?

i want chown from the script itself which created the page.

-Original Message-
From: Marek Kilimajer [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 03, 2003 12:39 PM
To: Gurvinder Singh
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] safe mode problem


what you did should work (you must be root to change owner). You can use
-R switch to change owner recursively

Gurvinder Singh wrote:

 

hi
i create a php page dynamically in my php script. this page include one of
my other php file. when i run the newly created script i get this error

Warning: SAFE MODE Restriction in effect. The script whose uid is 48 is not
allowed to access file.php owned by uid 831

Is there a way to handle this.

i even tried chown to change the newly created file's owner to be 831 but
   

it
 

doesnt seem to work

Thanks & Regards
Gurvinder





   




 



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP] safe mode problem

2003-02-03 Thread gurvinder singh
and how can i be root from a php script?

i want chown from the script itself which created the page.

-Original Message-
From: Marek Kilimajer [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 03, 2003 12:39 PM
To: Gurvinder Singh
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] safe mode problem


what you did should work (you must be root to change owner). You can use
-R switch to change owner recursively

Gurvinder Singh wrote:

>hi
>i create a php page dynamically in my php script. this page include one of
>my other php file. when i run the newly created script i get this error
>
>Warning: SAFE MODE Restriction in effect. The script whose uid is 48 is not
>allowed to access file.php owned by uid 831
>
>Is there a way to handle this.
>
>i even tried chown to change the newly created file's owner to be 831 but
it
>doesnt seem to work
>
>Thanks & Regards
>Gurvinder
>
>
>
>
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] safe mode problem

2003-02-03 Thread Chris Hayes
At 11:39 3-2-03, you wrote:

what you did should work (you must be root to change owner). You can use 
-R switch to change owner recursively

Gurvinder Singh wrote:

hi
i create a php page dynamically in my php script. this page include one of
my other php file. when i run the newly created script i get this error

Warning: SAFE MODE Restriction in effect. The script whose uid is 48 is not
allowed to access file.php owned by uid 831

Is there a way to handle this.

i even tried chown to change the newly created file's owner to be 831 but it
doesnt seem to work

I think you did it just the wrong way round, the way i read it the owner of 
the file you wanted to read already was 831, so try to chown it to 48.

Safe mode writes files with chmod 750, so now effectively 0 for the php 
script that tries to reach it. In stead of chowning, you can also chmod the 
file to read (file.php) to 777, if you do not mind the security too much, 
if possible take the file out of the www directory.


I have a big problem with safe mode now with a script that needs to create 
subdirectories itself, so with every new added course i would need to go 
and change the chmod by FTP.



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Re: [PHP] safe mode problem

2003-02-03 Thread Marek Kilimajer
what you did should work (you must be root to change owner). You can use 
-R switch to change owner recursively

Gurvinder Singh wrote:

hi
i create a php page dynamically in my php script. this page include one of
my other php file. when i run the newly created script i get this error

Warning: SAFE MODE Restriction in effect. The script whose uid is 48 is not
allowed to access file.php owned by uid 831

Is there a way to handle this.

i even tried chown to change the newly created file's owner to be 831 but it
doesnt seem to work

Thanks & Regards
Gurvinder



 



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[PHP] Edwin->Re: [PHP] Safe mode?

2002-09-01 Thread Ryan A
Hey,
Thanks for the reply,
what you sent me I had already read on other sitesI just didnt
understand them!
I basically wanted a longer explanation.

Thanks anyway,
-Ryan.


- Original Message -
From: "@ Edwin" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Sunday, September 01, 2002 2:49 PM
Subject: Re: [PHP] Safe mode? 


> Try the "mothership" again and type
>
>   php and "safe mode"
>
> Click "Search". The first two results:
>
>   http://www.dynamic-webpages.de/php/features.safe-mode.php
>   http://info.ccone.at/INFO/PHP4/features.safe-mode.html
>
> You can read only ONE so as not to get more confused... :)
>
> - E
>
> PS
> Of course, you can the info here as well:
>   http://www.php.net/manual/en/features.safe-mode.php
>
> >
> >Hi Everyone,
> >I have a small question and just need some general direction, tried the
> mothership(google) but got too many results and got more confused.
> >
> >What is safe mode?
> >
> >If you have any URL or file that can explain it kindly give it to me...
> >cheers and thanks again,
> >-Ryan.
>
>
>
>
> _
> $B$+$o$$$/$FL{2w$J%$%i%9%HK~:\(B MSN $B%-%c%i%/%?!<(B http://character.msn.co.jp/
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] Safe mode?

2002-09-01 Thread @ Edwin
Try the "mothership" again and type

  php and "safe mode"

Click "Search". The first two results:

  http://www.dynamic-webpages.de/php/features.safe-mode.php
  http://info.ccone.at/INFO/PHP4/features.safe-mode.html 

You can read only ONE so as not to get more confused... :)

- E

PS
Of course, you can the info here as well:
  http://www.php.net/manual/en/features.safe-mode.php

>
>Hi Everyone,
>I have a small question and just need some general direction, tried the 
mothership(google) but got too many results and got more confused.
>
>What is safe mode?
>
>If you have any URL or file that can explain it kindly give it to me...
>cheers and thanks again,
>-Ryan.




_
$B$+$o$$$/$FL{2w$J%$%i%9%HK~:\(B MSN $B%-%c%i%/%?!<(B http://character.msn.co.jp/


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


Re: [PHP] Safe mode

2002-04-26 Thread CC Zona

In article <[EMAIL PROTECTED]>,
 [EMAIL PROTECTED] (Ashley M. Kirchner) wrote:

> Rasmus Lerdorf wrote:
> 
> > You need to use php_admin_flag for safe_mode.
> 
> And I suppose this page has an error on it then:
> 
> http://www.php.net/manual/en/configuration.php
> 
> Since it states php_flag, not php_admin_flag...

The beauty of the system is that when one spots such errors, one can 
immediately add a correction to the annotated docs.  (Done.)

-- 
CC

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] Safe mode

2002-04-26 Thread Ashley M. Kirchner

Rasmus Lerdorf wrote:

> You need to use php_admin_flag for safe_mode.

And I suppose this page has an error on it then:

http://www.php.net/manual/en/configuration.php

Since it states php_flag, not php_admin_flag...


--
Example 3-2. Apache configuration example


  php_value include_path ".:/usr/local/lib/php"
  php_flag safe_mode on


  php3_include_path ".:/usr/local/lib/php"
  php3_safe_mode on

--


--
W | I haven't lost my mind; it's backed up on tape somewhere.
  +
  Ashley M. Kirchner    .   303.442.6410 x130
  IT Director / SysAdmin / WebSmith . 800.441.3873 x130
  Photo Craft Laboratories, Inc.. 3550 Arapahoe Ave. #6
  http://www.pcraft.com . .  ..   Boulder, CO 80303, U.S.A.




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] Safe mode

2002-04-26 Thread Rasmus Lerdorf

You need to use php_admin_flag for safe_mode.

But I wouldn't expect any effect here since you defaulted it to On and in
your httpd.conf you are turning it on...  So what are you expecting to see
different?

-Rasmus

On Fri, 26 Apr 2002, Ashley M. Kirchner wrote:

>
> On our server, PHP's compiled in Apache with --enable-safe-mode as well as
> the master php.ini file having safe_mode turned on.  Does this override
> whatever's in an Apache configuration file?  One of my vhosts has the following
> bit in it:
>
> 
>   php_value include_path ".:/usr/local/lib/php"
>   php_flag safe_mode On
>   php_flag magic_quotes_gpc Off
>   php_flag track_vars On
>   php_flag track_errors On
> 
>
> And the safe_mode entry doesn't seem to have any effect what so ever.
>
> --
> W | I haven't lost my mind; it's backed up on tape somewhere.
>   +
>   Ashley M. Kirchner    .   303.442.6410 x130
>   IT Director / SysAdmin / WebSmith . 800.441.3873 x130
>   Photo Craft Laboratories, Inc.. 3550 Arapahoe Ave. #6
>   http://www.pcraft.com . .  ..   Boulder, CO 80303, U.S.A.
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] Safe Mode

2002-04-09 Thread Richard Lynch

>On Tue, 9 Apr 2002, Richard Lynch wrote:
>>  So, what's up with this:
>>
>>  PHP /www/herolist.com/web/categories.html: 105 2 SAFE MODE
>>  Restriction in effect.  The script whose uid is 1065 is not allowed
>>  to access /www/herolist.com/web/pictures/TERISBROTHER1thum.jpg owned
>>  by uid 1056
>>
>>  Note that the UIDs are the *same*.
>
>Maybe I'm missing something here, but 1065 != 1056.
>
>miguel

Geez!  I'm going bleary-eyed from looking at this.  SORRY!

Just ignore me.
-- 
Got Music? http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] Safe Mode

2002-04-08 Thread Miguel Cruz

On Tue, 9 Apr 2002, Richard Lynch wrote:
> So, what's up with this:
> 
> PHP /www/herolist.com/web/categories.html: 105 2 SAFE MODE 
> Restriction in effect.  The script whose uid is 1065 is not allowed 
> to access /www/herolist.com/web/pictures/TERISBROTHER1thum.jpg owned 
> by uid 1056
> 
> Note that the UIDs are the *same*.

Maybe I'm missing something here, but 1065 != 1056.

miguel


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] safe mode and file handling

2002-03-01 Thread Jim Lucas [php]

if you are on a unix system running with apache, you could modify the
virtual host block and have apache run as your user name and then change the
permissions of the docroot so you are the owner and group.

Jim Lucas
www.bend.com
- Original Message -
From: "Mika Lindqvist" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 01, 2002 1:21 PM
Subject: [PHP] safe mode and file handling


> I and my www space provider have fought with a problem. All
> files/directories created by PHP are owned by nobody/nobody and we want
> them to be created by my own uid/guid. How this would be solved by least
> amount of modification in the scripts.
>
> The problem is in that safe mode requires that the script and the
> directory containing the file/directory to be accessed is owned by me
> and only me. If I tell PHP to create a directory test1 under my www root
> and then change to that directory and tell it to create another
> directory for example called test2, it fails because test1 is owned by
> nobody, not me.
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] safe mode and file handling

2002-03-01 Thread Rasmus Lerdorf

The easiest way to make this work is to use open_basedir settings instead
of safe_mode.  Safe_mode is specifically created to prevent you from doing
what you are trying to do.

-Rasmus

On Fri, 1 Mar 2002, Mika Lindqvist wrote:

> I and my www space provider have fought with a problem. All
> files/directories created by PHP are owned by nobody/nobody and we want
> them to be created by my own uid/guid. How this would be solved by least
> amount of modification in the scripts.
>
> The problem is in that safe mode requires that the script and the
> directory containing the file/directory to be accessed is owned by me
> and only me. If I tell PHP to create a directory test1 under my www root
> and then change to that directory and tell it to create another
> directory for example called test2, it fails because test1 is owned by
> nobody, not me.
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] Safe mode/restricted directory file system operations

2002-02-21 Thread Lars Torben Wilson

On Thu, 2002-02-21 at 10:44, Dave wrote:
> Apache server with PHP module
> Apache user is nobody:nobody
> Virtual user is user1:user1

[snip]

> Ideas or suggestions appreciated.
> 
> Dave

Well, this isn't really a PHP issue, but what the hell. If you need to
do filesystem stuff as a certain user, the Apache module just ain't 
gonna do it for you. It'll always run as the httpd user. So you could
very carefully set up directory permissions so that httpd has access to
do what it needs, or you could just compile the CGI version of PHP and
use it for the pages which need to do these uid/gid-related operations.
(If used with something like suExec you can get it to act as any user
you want.) The second option is probably the safest.


-- 
 Torben Wilson <[EMAIL PROTECTED]>
 http://www.thebuttlesschaps.com
 http://www.hybrid17.com
 http://www.inflatableeye.com
 +1.604.709.0506


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




Re: [PHP] Safe mode and dir permissions

2001-11-16 Thread Bas Jobsen

Hello,

You can't change permissions in safe_mode.

>and for every new people
> inserted the system creates a Directorie and will upload things

Maybe you give the new people something like a autonumbered userid. So you
can created the dirs
/userid0/, /userid1/ etc. already by hand.



- Original Message -
From: "Rodrigo Peres" <[EMAIL PROTECTED]>
To: "PHP" <[EMAIL PROTECTED]>
Sent: Friday, November 16, 2001 2:02 PM
Subject: [PHP] Safe mode and dir permissions


> Hi List,
>
> My ISP runs the PHP in Safe Mode, this is causing me a lot of trouble. In
> safe mode how can I change the permission of a dir to 0777?, my problem is
> that I've built a Content management system, and for every new people
> inserted the system creates a Directorie and will upload things
> automatically on it, but I couldn't create it with 0777 permission, so I
> can't upload nothing with PHP, and I don't have how change every single
> folder permissio by hand.
>
> Thank's
>
> --
>
>
> Rodrigo
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] Safe mode + /usr/share/php

2001-08-25 Thread Rasmus Lerdorf

A recent feature addition (4.0.7) is a safe_mode_include_dir php.ini
directive where you can do exactly this.

-Rasmus

On Sun, 26 Aug 2001, Artyom Plouzhnikoff wrote:

>   Is it possible to use safe mode yet allow all scripts to include any files
> from /usr/share/php? Normal users ain't gonna have *write* access to that
> directory, so it shouldn't be much of a security concern, I just don't know
> how to do this. I know that I can disable safe_mode and enable open_basedir,
> but that will create yet another security hole because normal users will be
> able to alter LD_LIBRARY_PATH, which is not a very good idea. AFAIK, they can
> make PHP load a custom glibc and thus gain root access to the box if I allow
> them to do that.
>
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] Safe mode upload

2001-05-08 Thread Philip Olson


Awhile ago there was some discussion on irc #php , this use was proposed
(by onki) :

  $tmp_name = $HTTP_POST_FILES['userfile']['tmp_name']; 

  move_uploaded_file ($tmp_name, '/home/httpd/html/upload/example.zip'); 

  chmod('/home/httpd/html/upload/example.zip', 0644); 

And it works. move_uploaded_file() is the key here. Haven't personally
tried it like this as the safe mode server I have access to is 4.0.2 and
move_uploaded_file is a 4.0.3 function

  http://www.php.net/manual/en/function.move-uploaded-file.php
  http://www.php.net/manual/en/features.file-upload.php

Also, what you can do is get a script called chuid from here :

  http://www.srparish.net/scripts/ 

It must be installed by sysadmin. Then, users do something like this : 

  ...  ... 

  passthru ("chuid $file 1033");

  copy($file, "/path/to/uploads/$file_name");

Something like that. The above (1033) is the users uid which of course is
different for everyone.  If anyone has comments to add/change to this
post, please do so.

Also upon review of the php4.0.5 CHANGELOG, note the following entry :

  "Allow access to uploaded files in safe_mode. Beware that you can only
  read the file. If you copy it to new location the copy will not have the
  right UID and you script won't be able to access that copy. (Thies)"

  http://php.net/ChangeLog-4.php


Regards,
Philip


On Tue, 8 May 2001, php wrote:

> 
> Hi everyone.
> 
> I have trouble uploading files while in safe mode 
> .Warning: SAFE MODE Restriction in effect. The script whose uid is 206 is
> not allowed to access /tmp/php6wtDUc owned by uid 0 
> Can someone help me pass around this problem?
> 
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




RE: [PHP] Safe mode?

2001-03-02 Thread Asep Dindin

I think the second line is right, but I suggest to add space before and
after equal sign, if it is not working may be somethink else make the
problem.

safe_mode = off

-Original Message-
From: Leon Mergen [mailto:[EMAIL PROTECTED]]
Sent: 03 March, 2001 4:36 AM
To: [EMAIL PROTECTED]
Subject: [PHP] Safe mode?


How can I turn off safe_mode using php.ini with php4.0.3pl1? All this
doesn't work:

safe_mode="off"
safe_mode=off
safe_mode="0"
safe_mode=0
safe_mode="Off"
safe_mode=Off

Anyone has an idea?


Leon Mergen
[EMAIL PROTECTED]
President of Technical Operations
BlazeBox, Inc.
ICQ: 55677353


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]




Re: [PHP] safe mode in 4.0.4pl1

2001-01-15 Thread Richard Lynch

suExec() does most of what safe_mode would do, and other things besides...

I don't think they are compatible...

What exactly is your suExec'ed PHP able to do that you want to not allow?

- Original Message - 
From: Ian Gulliver <[EMAIL PROTECTED]>
Newsgroups: php.general
Sent: Monday, January 15, 2001 11:58 AM
Subject: [PHP] safe mode in 4.0.4pl1


> I'm running PHP 4.0.4pl1 as a CGI under Apache 1.3.14 with suexec.
> Whenever I turn on safe_mode in php.ini, the following messages appear
> from a script owned by and running as uid 1013 which is trying to include
> files owned by uid 1013 in a directory owned by 1013:
> 
> Warning: SAFE MODE Restriction in effect.  The script whose uid is -1 is
> not allowed to access header.php owned by uid 1013 in archive.php on line
> 1.
> 
> Any help would be much appreciated.
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]