Re: [PHP] safe mode bug ?

[Andreas John <aj@net-lab.net>]

Hi!

There are 2.5 possibilities that make sense.

a.) mod_suphp [Any volunteers to put that into debian tree??:-)] 
www.suphp.org
b.) Run php as cgi and attach she-bang (#!/path/to/pgp-cgi)
c.)  Run php as cgi and teach the environment to treat .php files like 
binaries with the "binfmt" kernel module

Personally I did not decide wether to take a.) or c.) ...

Rgds,
Andreas

Franz Georg Köhler wrote:
> On So, Jun 06, 2004 at 02:36:13 +0200, Robert Hensel <robert@hensel.nl> wrote:
>
> > Hi,
> >
> > I came upon a strange problem when trying to list directory's in safe 
> > mode as a normal user. Of course I expected this not to work, because 
> > safe_mode disables the possibility of reading files that not belong to 
> > the owner of the PHP-file. However, it does not seem to check for 
> > directory ownerships. (debian stable, PHP4.1.2). PHP does give a warning 
> > about safe_mode (as seen below) but then nicely lists the directory :(
> > This means any user can just browse through any dir. on my system. PHP 
> > obviously still obeys UNIX file permissions so i could tighten up those, 
> > and enable basedir restrictions and stuff, but it looks to me that this 
> > is just a (major) bug ?
>
>
> Hello,
>
>
> it is widely known that safe_mode is not really safe.
>
> You might want to restrict access with open_basedir .
>
>
> The most secure solution is still to install php's cgi executable in an
> suexec environment.


--
Andreas John
net-lab GmbH
Luisenstrasse 30b
63067 Offenbach
Tel: +49 69 85700331

http://www.net-lab.net