ID: 31618 Comment by: nobody at bugs dot php dot net Reported By: kpederson at mail dot ewu dot edu Status: Assigned Bug Type: Feature/Change Request Operating System: redhat enterprise PHP Version: 5CVS-2005-03-14 Assigned To: tony2001 New Comment:
Until an is_includible() is added, it's possible to check a file exists using realpath() even with safe mode enabled which allows Smarty to at least see and include() its own plugins. Previous Comments: ------------------------------------------------------------------------ [2006-06-19 21:03:34] kpederson at mail dot ewu dot edu open_basedir does not do what I need it to do. The functionality and setup that I need: 1) I have many users per host, each with their own group hierarchy. 2) Each user cannot access any other users data, unless they are in the same group. Thus, I have user and group permissions that need to be managed. 3) I have common scripts that everyone needs to access (smarty templates and wrappers). Because of #1 and #2, I need safe mode with GID checking. Because of #3, I need to have a directory that *everyone* can include and read from -- safe_mode_include_dir is not sufficient because it doesn't allow the users to read the templates, only include them and smarty (smarty.php.net) needs the ability to read them in order for them to work. open_basedir is great for restricting reads between hosts. I could set it to /path/to/host/;/path/to/templates/ and then users would only be able to access files within their host and the templates, but it still doesn't solve the problem at hand. ------------------------------------------------------------------------ [2006-06-19 20:07:02] yanstiac at yahoo dot com Just need to read a bit =) Nstiac http://www.php.net/manual/en/features.safe-mode.php#ini.sect.safe-mode ------------------------------------------------------------------------ [2006-06-19 20:02:59] yanstiac at yahoo dot com Guys... that is what open_basedir is actually for. Cheers, Nstiac ------------------------------------------------------------------------ [2006-05-29 06:45:23] parktrip at gmail dot com Could someone tell me what will happened to this report ? is this supposed to be solved in a future version of PHP ? I have the same problem with smarty in a commercial application. Is there another way to make it work with safe_mode on ? Thanks a lot. ------------------------------------------------------------------------ [2005-08-12 22:15:09] kpederson at mail dot ewu dot edu Hmm... wouldn't something like safe_mode_read_dir make it possible to have shared libraries while using safe mode, assuming it allowed fopen(), include/require access? I don't see how else it's possible to make common modules, like the pear library, available globally, unless they never need to do more than include other files in their own hierarchy, while using safe mode. To turn off safe mode, would be a huge security risk unless I were running it using suExec and CGI or something. I'm going to ask on #PHP for other thoughts as there has to be a way to get the best of both worlds (common accessible libraries vs. security). Thanks for the help. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/31618 -- Edit this bug report at http://bugs.php.net/?id=31618&edit=1
