Safe mode story

11/05/2008, 06h06

Hi all,

I'm running a Plesk 8.3 mass hosting server equipped with PHP 5.1.6 on
CentOS 5, and I'm facing the problem of PHP "Safe mode" barfing at the
UID mismatch of PHP scripts uploaded by user's FTP UID, and later
executed by Apache UID, where user's PHP scripts thusly uploaded attempt
to write any files while doing their job.

Is there an educated solution? What if I relax safe mode checks to gid
(safe_mode_gid=On), and given that GID is psacln for every Plesk-hosted
customer, with only UIDs being different, is there any risk that folks
operating on their own chmod 660 files will be able to overwrite other
people's chmod 660 files? Or will open_basedir be enough to prevent
unwanted PHP level file access while relaxing safe mode uid check at the
same time? (by default, it is properly set by Plesk in
%mysite%/conf/httpd.include) ?

BTW, safe_mode_exec_dir is empty by default, does it mean if I do set
safe_mode_gid then users will be able to exec other Plesk users' cgi-bin
scripts etc. because of GIDs being equal??

Safe mode has _got_ to be there for some good reason.

Thanks in advance for any tips.

14/05/2008, 16h11

On May 11, 2008, at 12:06 AM, admin wrote:

[snip!]

> Safe mode has _got_ to be there for some good reason.

Read on about PHP6....

<http://www.ibm.com/developerworks/op...xw01PHP-Future
>

Scroll down to where the title is "Things removed" - notice that
'safe_mode' is listed. It may have been put in originally for a good
reason, but since then deprecated.

HTH,

~Philip

11/05/2008, 06h06	#1
admin Messages: n/a Hébergeur:	Safe mode story Hi all, I'm running a Plesk 8.3 mass hosting server equipped with PHP 5.1.6 on CentOS 5, and I'm facing the problem of PHP "Safe mode" barfing at the UID mismatch of PHP scripts uploaded by user's FTP UID, and later executed by Apache UID, where user's PHP scripts thusly uploaded attempt to write any files while doing their job. Is there an educated solution? What if I relax safe mode checks to gid (safe_mode_gid=On), and given that GID is psacln for every Plesk-hosted customer, with only UIDs being different, is there any risk that folks operating on their own chmod 660 files will be able to overwrite other people's chmod 660 files? Or will open_basedir be enough to prevent unwanted PHP level file access while relaxing safe mode uid check at the same time? (by default, it is properly set by Plesk in %mysite%/conf/httpd.include) ? BTW, safe_mode_exec_dir is empty by default, does it mean if I do set safe_mode_gid then users will be able to exec other Plesk users' cgi-bin scripts etc. because of GIDs being equal?? Safe mode has _got_ to be there for some good reason. Thanks in advance for any tips.

14/05/2008, 16h11	#2
Philip Thompson Messages: n/a Hébergeur:	Re: [PHP] Safe mode story On May 11, 2008, at 12:06 AM, admin wrote: [snip!] > Safe mode has _got_ to be there for some good reason. Read on about PHP6.... <http://www.ibm.com/developerworks/op...xw01PHP-Future > Scroll down to where the title is "Things removed" - notice that 'safe_mode' is listed. It may have been put in originally for a good reason, but since then deprecated. HTH, ~Philip

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email