[BlueOnyx:03121] Re: php error

Stephanie Sullivan ses at aviaweb.com
Wed Dec 16 22:00:06 -05 2009 

Darrell, Darrell, Darrell, :-)

>From php.net:
**************
safe_mode_gid boolean 
By default, Safe Mode does a UID compare check when opening files. If you
want to relax this to a GID compare, then turn on safe_mode_gid. Whether to
use UID (FALSE) or GID (TRUE) checking upon file access. 
**************

Thus safe_mode_gid augments the safe_mode settings. It's not a one or the
other. Safe_mode_gid does not provide support with safe_mode off. With
safe_mode on and safe_mode_gif on then files are accessible if the group
ownership is accessible and the unix permissions permit their accesss (group
read in the case of an include file). This may the situation that Tony is
trying to resolve. It's easy to check and/or correct, I would think.

More information look at http://us3.php.net/manual/en/ini.sect.safe-mode.php

Further information on file ownership from the page supports my previous
assertion that the calling script must be the same as owner of the file
being called. It is not necessary that all files be owned by apache.

Here is the text from the above referenced page:

**************
When safe_mode is on, PHP checks to see if the owner of the current script
matches the owner of the file to be operated on by a file function or its
directory. For example: 

-rw-rw-r--    1 rasmus   rasmus       33 Jul  1 19:20 script.php 
-rw-r--r--    1 root     root       1116 May 26 18:01 /etc/passwdRunning
script.php: 

<?php
 readfile('/etc/passwd'); 
?> 
results in this error when safe mode is enabled: 

Warning: SAFE MODE Restriction in effect. The script whose uid is 500 is not

allowed to access /etc/passwd owned by uid 0 in /docroot/script.php on line
2

However, there may be environments where a strict UID check is not
appropriate and a relaxed GID check is sufficient. This is supported by
means of the safe_mode_gid switch. Setting it to On performs the relaxed GID
checking, setting it to Off (the default) performs UID checking. 
**************

So, for php configuration confusion the best I can say is search php.net and
do it today. :-)

	Thanks,
		-Stephanie


> -----Original Message-----
> From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-
> bounces at blueonyx.it] On Behalf Of Darrell D. Mobley
> Sent: Wednesday, December 16, 2009 11:17 AM
> To: 'BlueOnyx General Mailing List'
> Subject: [BlueOnyx:03118] Re: php error
> 
> > -----Original Message-----
> > From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-
> bounces at blueonyx.it]
> > On Behalf Of Stephanie Sullivan
> > Sent: Wednesday, December 16, 2009 10:13 AM
> > To: 'BlueOnyx General Mailing List'
> > Subject: [BlueOnyx:03117] Re: php error
> >
> > There are two things to consider:
> > 	1) in php.ini - is safe mode on? I go with yes.
> > 	2) in php.ini - is safe mode gid on? I'd bet no and suggest
> turning
> > it on.
> >
> > With php includes in safe_mode the owner of the including script
> must be
> > the same as the script being included. If not, no joy.
> >
> > Safe mode gid tells php to use the group rather than the owner as
> the
> > basis. So, files of different owners than the calling php file can
> load
> those
> > files with an include.
> >
> > Here are some safe mode controls from my php.ini
> >
> > safe_mode = On
> > safe_mode_gid = On
> 
> There is some confusion about this to me and probably others.
> According to
> this webpage, http://aymanh.com/checklist-for-securing-php-
> configuration,
> safe_mode and safe_mode_gid are not supposed to be enabled together,
> rather
> individually:
> 
> "In its default state, PHP's safe mode is too restrictive for any
> advanced
> development to be possible. However, there are several settings to
> relax it.
> The biggest problem with safe mode is that only files owned by Apache
> are
> accessible to PHP scripts. This is often impractical when many
> developers
> are working on the same project, or when you want PHP to read a file
> without
> changing its ownership. Another affected situation is when you want
> PHP to
> read files generated by other programs. To work around this, there is
> a
> setting that checks for file group instead of owner:
> 
> safe_mode = Off
> safe_mode_gid = On
> 
> With safe_mode_gid enabled instead of safe_mode, PHP will be able to
> open
> files that belong to Apache's group regardless of the owner. So if
> there are
> several developers working on the same server, add them to Apache's
> group,
> make it their default group, and everything should be set."
> 
> Also, I was the one asking about exec the other day, and using
> safe_mode_gid
> together with an exec include directory, I should be able to run
> binaries
> such as ImageMagick.  The question I have is, as the page listed
> above
> states, I could create a directory and put symbolic links to binaries
> in it
> for the web sites who wanted to use ImageMagick.  This would allow me
> to
> isolate only binaries that are safe for websites to execute.
> Therefore, the
> question is, what binaries other than the ImageMagick ones, are
> usable by a
> web site?
> 
> 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list