safe_mode question

h725 · 02-03-2009, 03:35 AM

hi,

I'm trying to understand safe_mode in php.
I put safe_mode = On in php.ini

After, I've created a little php file, owned by my normal user, while apache2 is running as www-data.

Why I'm able to call the script via browser?

Undeadzz · 02-04-2009, 12:46 AM

if the browser is able to call the script thats normal, its probly allowed by the apache configuration?

h725 · 02-04-2009, 02:02 AM

Quote:

Originally Posted by Undeadzz

if the browser is able to call the script thats normal, its probly allowed by the apache configuration?

I don't understand.. if safe_mode is ON, and the script's uid is different than www-data, why I'm able to execute the script?

h725 · 02-04-2009, 04:23 PM

Quote:

Originally Posted by h725

I don't understand.. if safe_mode is ON, and the script's uid is different than www-data, why I'm able to execute the script?

Ok, I found the explanation in this link:

http://it2.php.net/manual/en/ini.sect.safe-mode.php

Quote:

When safe_mode is on, PHP checks to see if the owner of the current script matches the owner of the file to be operated on by a file function or its directory. For example:

-rw-rw-r-- 1 rasmus rasmus 33 Jul 1 19:20 script.php
-rw-r--r-- 1 root root 1116 May 26 18:01 /etc/passwd

Running script.php:
<?php
readfile('/etc/passwd');
?>
results in this error when safe mode is enabled:

Warning: SAFE MODE Restriction in effect. The script whose uid is 500 is not
allowed to access /etc/passwd owned by uid 0 in /docroot/script.php on line 2

..which is a little different than simply open a php file via browser.