[BlueOnyx:03240] Re: php error

[Michael Stauber]

Hi Darrell,

> > Are you saying that with SafeModeGid you cannot include site5 in the
> > site4 group and expect SafeModeGid to recognize this?  Is this an
> > open_basedir issue or a SafeMode issue or both?
> >
> > I added site4 to site5's group and visa versa without success.

You're trying to shove a square pig through a round hole.

You can't turn on all the security features and then expect your scripts to do 
something totally unsafe. You either have to keep the security features as 
they are and have to live with the restrictions they impose, or you have tune 
them down and have to live with the fact that you're opening the floodgates 
and expose yourself to dangers.

Open_basedir: This directly restricts the paths to which a site's scripts have 
access to. Typically "open_basedir" for a site is set to something like this:

/tmp/:/var/lib/php/session/:/home/.sites/33/site5/

So scripts of that site5 can access anything within (and under):

/tmp/
/var/lib/php/session/
/home/.sites/33/site5/

But: Those scripts from site 5 cannot access the webspace of any other site, 
regardless of how you configure safe_mode.

"safe_mode" (and "safe_mode_gid") are other - independent - means which make 
sure that a script owned by one UID (or GID) cannot include, access or run 
scripts that are owned by someone else.

Now if you really want to tear a giant security hole into your system, then 
you can of course do that. All you need to do is this:

safe_mode: Off
safe_mode_gid: Off
register_globals: On
open_basedir: Simply add ":/" to the end of it, which allows scripts of that 
site access to "/" and anything thereunder. 

The "open_basedir" line for our site5 then would look like this:

/tmp/:/var/lib/php/session/:/home/.sites/33/site5/:/

So yes: It's possible to do so. But not really recommended.

-- 
With best regards

Michael Stauber