Archive for the tag 'on'

SBDavid
Nov 7th, 2009

When PHP safe_mode is on

When PHP safe_mode is on

When safe_mode is on, PHP checks to see if the owner of the current script matches the owner of the file to be operated on by a file function or its directory. For example:

-rw-rw-r– 1 buddies buddies 43 Nov 1 19:20 passwd.php
-rw-r–r– 1 root root 1116 Nov 26 18:01 /etc/passwd

Running passwd.php: results in this error when safe mode is enabled:

Warning: SAFE MODE Restriction in effect. The script whose uid is 500 is not
allowed to access /etc/passwd owned by uid 0 in /docroot/passwd.php on line 2

However, there may be environments where a strict UID check is not appropriate and a relaxed GID check is sufficient. This is supported by means of the safe_mode_gid switch. Setting it to On performs the relaxed GID checking, setting it to Off (the default) performs UID checking.

If instead of safe_mode, you set an open_basedir directory then all file operations will be limited to files under the specified directory. For example (Apache httpd.conf example):

php_admin_value open_basedir /docroot

If you run the same script.php with this open_basedir setting then this is the result:

Warning: open_basedir restriction in effect. File is in wrong directory in /docroot/passwd.php on line 2