PHP Safe-Mode permissions, redux

(I originally posted this in Administration, doubtless the wrong subforum.)

It is dumbfounding how much misinformation there is out there on the topic of PHP and "Safe Mode". I think I have now seen the truth of most issues, but a couple of sorely nagging problems remain; they would be easily resolved by a few minutes' playing, but my server doesn't have the conditions for a testbed.

Let me recapitulate what I think I do know, and if any of it seems wrong, someone please step up and say so.

There are four states or situations that affect the usability of PHP, and they are a two-by-two matrix of these things:

1. Is PHP run through a cgi wrapper? (Yes/No)

2. Is "Safe Mode" on? (Yes/No)

If PHP is being run through a cgi wrapper, no problems: PHP is "you" and has all your permissions. "Safe Mode" is largely immaterial. That's two out of four cases handled.

If PHP is not being run through a cgi wrapper, but "Safe Mode" is off, no substantial problems: be sure to set "everyone" access to 6 (rw-) or, for executables, 7 (rwx) and all is well. That's cumulatively three out of four cases.

Now the problem: cgi wrappers are not enabled and "Safe Mode" is On.

While one could argue that any host who locks PHP "Safe Mode" On without providing access to a cgi wrapper for PHP deserves to be abandoned, the fact remains that some users will have such a host and will not just jump up and change hosts. So what to do in such cases for PHP scripts that need to make new directories and read and write files in them?

PHP in such instances is user "nobody" (or "www"). "Safe Mode" (what a travesty of a name!) goes beyond permissions to look at the User ID of the file or directory and that of the "user". I have seen hideous kludges using ftp processes to make directories so that their "owner" is PHP, but that seems ludicrous.

I have an idea, but it turns on the exact meaning of the sentence in the online PHP Manual that says:

If that statement is exactly correct, it would mean that I could upload a PHP script to the root of a site (one I own) and have that script make a subdirectory off the root which subdirectory would be "owned" by PHP, not me. That would be because: 1) I own the root directory; 2) I "own" the PHP script, because I uploaded it; 3) the script can make the subdirectory because "the directory in which you are about to operate has the same UID (owner) as the script that is being executed"; and 4) because PHP (or "nobody" or "www") would be the actual maker of the directory, other PHP scripts should have whatever rights in the directory I had--by means of the script--assigned to "owner" at the time of the directory creation.

But--if the statement in the manual is simply a sloppy rendition of "PHP checks whether the directory in which you are about to operate has the same UID (owner) as the user attempting the script execution", the thing would fail.

Does anyone know for sure? Please? Pretty please?

 

The PHP manual is right!

In adition to "safe mode" (which shouldn't be used...), you should take a look at some ini directives, like 'open_basedir' (allowed dirs to open by PHP), safe_mode_gid (you may relax safe_mode by using a GID comparing, instead of UID).

You may also 'chmod 777' the dir to allow PHP to read/write files.

More info at: http://www.php.net/features.safe-mode

If you have further questions, just say!

 

I believe the user that PHP is set to use depends on the way that it is setup. It either runs as a specific user (you) OR as the Web(Apache) user.

 

A chmod to 777 will not suffice for universal access if Safe Mode is on: PHP will look at the user IDs, even if the permissions otherwise allow access, and--without a cgi wrapper--PHP is not you.

This is not something I want to do, it is an effort to find a way to make some PHP scripts usable even by those poor souls with no cgi wrapper available and yet Safe Mode locked on by their hosts. (Hosts that set Safe mode on do not normally allow users to change that setting with an ini_set.)

I may be able to get some definite answers by experimentation. My local ISP, whom I have been using only for dialup connects and sending mail, gives users some picayune amount of web space. I have asked for a setup--they use Apache and, if I can believe their "tech", do not use cgi wrappers; he says they have Safe Mode Off, but usually if it is Off by default the user can set it On (the reverse of the case when it defaults to On).

Regrettably, the setup will not be ready till tomorrow, so I have to sit and chew my fingernails for another day before I can actually experiment.

 

What task are you trying to do exaclty?

 

I have an SEO site-augmentation package (the "Freebie" mentioned in my sig block) that I am trying to assure will work for anyone.

Functionally, it is satisfactory, but there are potential problems using it, depending on the user's PHP environment. If the user's host has PHP cgi-wrapped, it's a piece of cake, and everything will work fine, even if Safe Mode is, for some bizarre reason, on (it rarely is with cgi wrappers provided).

If the host doesn't supply cgi wrappers, the norm, as I understand it, is to have Safe Mode set off; that, too, is no problem: the package can autodetect Safe Mode and use chmod where necessary to set appropriate file permissions.

It is the possible case (rare, I suspect, but I am by no means sure of that) where wrappers are not available yet the host has set Safe Mode on, in which cases the user is usually not allowed to turn it off by PHP command. In those cases, the user can ftp the package up and try to install it, but may find--as so many in analogous circumstances have found themselves (Google on <php "safe mode">)--unable to read and write files the user thinks he or she ought to be able to.

I am trying to find a technique that will allow PHP scripts to operate properly in an environment where wrappers are not available (so the "user" of a PHP script is "nobody" or "www") and yet Safe Mode is on (so that the user and the directory or file owner have to be identical, which means that files and directories must be owned by "nobody" or "www" or whatever, regardless of the permissions settings.).

This mess is sort of like the five-color-map problem: at first, it looks like it ought to be easy, but as one tries it, there is always a snag.

 

Do you I have you right to say that in "Safe Mode" the program can't access files and/or directories that it doesn't own?

 

This is one of the most frustrating, hairy, and controversial (and ill-understood) aspects of PHP. To quote from the :
online Manual

This is not "file permissions". It is a check of the actual UID of the file "owner" and of the script user, of which more anon. (Of course, the permissions must also be appropriate, but this is an uber-check.)

It applies to all PHP operations, not to this or that script.

Typically, some poor devil ftp-uploads this or that package made partly or wholly of php, perhaps into a new directory the user has made for it, only to discover that the scripts are unable to read and write files. "You mean I made a directory I can't write to?" is the common--and widely heard--plaint. Yes, old son, you did. Actually, you can write to it: just poor old PHP can't, because you made the directory, and--this is, or ought to be, the PHP catchphrase, PHP ain't you. On most systems, it is, if you check UID's, listed as "nobody", or sometimes as "www".

As the online Manual also rightly states:

but they did anyway.

The workarounds suggested here and there across the web are many, diverse, and often silly. One also hears endless incorrect statements that "you just need to set your permissions correctly."

Wrapper files for PHP have been around for a while now (I believe Pair Networks made the first one), and are becoming ever more common. They do some security checks of their own, then cause PHP to appear to the system as whatever user actually owns the PHP script being run. If you uploaded the script, the system will--courtesy of the wrapper--see PHP as you (your UID), not as "nobody", and so will let the script that you own do whatever you yourself could do, permissions-wise.

Not every host offers PHP cgi wrappers, and not every user knows to ask to be set up with them from hosts that do (it is not necessarily the default PHP setup even when available). If wrappers are not available, a good host should not have safe mode on, but a lot of them do as a knee-jerk. There is the crux.

(I am not a network security expert, and I don't even play one on TV. But from what I read, I get the distinct impression that safe mode is little protection against serious hacking, but remains a colossal pain to ordinary users. I have seen proposals by PHP experts that it be dropped altogether from PHP.)

So that is the genesis of the problem. The only way I can see to make the thing--PHP scripts with safe mode on and no cgi wrappers available--work is to try to use PHP scripts to make all the directories and scripts and working files that a php package will need; then, php will be the legitimate owner of those directories and files. (The actual user might not be able to access them, but that's another matter.) But this is a bit like hoisting yourself up by your bootstraps. The crux is whether or not a script can somehow be made to make a subdirectory in a directory that the user owns.

I have no playpen in which to experiment, else I'd have had some definite answers in an hour's playtime. I thought I was about to have such a pen on the local ISP who provides my dialup, but I just found out that I was lied to--they won't have web-page space available for weeks yet. (Hey ho, the joys of rural life.)

If you Google on <php "safe mode" and read a few, you'll soon see what I mean about, one, many complaints, and two, much folklore and superstition being dispensed in the guise of knowledge and help.

 

Yes, I work on PHP and we have many complains about Safe mode. Personally, I recomend to NOT use safe mode.
There is also an open bug report at: http://bugs.php.net/bug.php?id=21975

 

I have my own test server running and am aware of some of your problems.

1. The folder(s) you will be writing to must changed to (777) by you as you own the file.
2. The user running php is nobody or www and can not write to areas not changed.
3. As nobody or www wrote the file or sub folder you can not change or delete it.
4. Only the owner of the file/folder can change permisions.
5. I wrote a script in an earlier version of php and was unable to set permisions the way I wanted.
6. Where there's a will there's a way. I now have a php script that reads a db and writes new scripts for me.
7. Portion of script follows;

if($row1[1]=="yes")
			{if(!is_dir("category/$row[3]/$row1[3]")){ mkdir("category/$row[3]/$row1[3]");chmod("category/$row[3]/$row1[3]",0777);}
		$fd=fopen("category/$row[3]/$row1[3]/index.php","w+");
		$line9=($line1).($line3).($line4).("$row1[0];\n").($line5);
		fwrite($fd,$line9);
		fclose($fd);
		if(!is_dir("thumbnails/$row[3]/$row1[3]")){mkdir("thumbnails/$row[3]/$row1[3]"); chmod("thumbnails/$row[3]/$row1[3]",0777);}
		$fd=fopen("thumbnails/$row[3]/$row1[3]/index.php","w+");
		$line9=($line1).($line2).($line4).("$row1[0];\n").($line5);
		fwrite($fd,$line9);
		fclose($fd);
			}
		else{
		$fd=fopen("category/$row[3]/$row1[3].php","w+");
		$line9=($line1).($line3).($line4).("$row1[0];\n").($line5);
		fwrite($fd,$line9);
		fclose($fd);
		$fd=fopen("thumbnails/$row[3]/$row1[3].php","w+");
		$line9=($line1).($line2).($line4).("$row1[0];\n").($line5);
		fwrite($fd,$line9);
		fclose($fd);
			}
		}

PHP:

The complete script at the moment creates 48 subfolders and 898 php scripts in a fraction of a second. naming them from the contents of the db in a structure dictated by the db.

 

The crux is the line pair:

mkdir("category/$row[3]/$row1[3]");
chmod("category/$row[3]/$row1[3]",0777);

PHP:

(By the way, would not $mkdir($dirname,0777) accomplish the same in one step?)

If it is the user who first created, and thus "owns", the directory category/$row[3]/ and even with Safe Mode "On" (and no cgi wrappers) a PHP script can do that mkdir, all is well.

Since you are actually doing it, obviously it works. I would just like to be absolutely, positively sure I have two data correct: you are successfully doing this with:

a) Safe Mode ON; and,

b) you are not working through a cgi interface (the function php_sapi_name() does not return cgi or anything with "cgi" in it).

It is that second that I really wonder about. Please let me know for sure.

 

Sorry for getting your hopes up.

1. $mkdir($dirname,0777) dose not work as one step, probibly over ridden some were.

2. safe mode was off, so turned on. I was unable to get anything to work right.

3. php is loaded as a module and php_sapi_name(); returns nothing.

I guess Safe Mode = On means Safe because no one can do any thing.

 

Ah, I feared as much.

Yes, you are quite right, it's "Safe" precisely because no one can do anything.

In principle (please, medical attention for those in danger of choking), no host should ever be setting Safe mode "on" unless that host either a) offers cgi wrappers for PHP, or b) allows users to turn Safe Mode "off". But if I had a nickel for every airhole host out there, I'd be chatting with Bill Gates over cigars and brandy.

 

Hi folks

New to this forum having found this fascinating thread whilst searching for help on this issue. I'm stuck and fed up. Our clients hosts have switched to safe mode - and I'm having to rewrite scripts to keep the site functional. However can not find anyway around our unzip problem - cannot create files in directories on extract (using fopen()). I see this thread has gone rather quiet! Have you all given up on it or resolved it?? Desperate for some help here.

 

My ISP has safe_mode off so it is not an isssue for me but just came accross this info.

From: http://www.hardened-php.net/advisories/012004.txt

Note: "When safe_mode is activated within PHP, it is only allowed to
execute commands within the configured safe_mode_exec_dir."

More: http://www.hardened-php.net/

 

Wow! Good topic.

I'm a newbie, myself, here. Am getting into PHP & this raises an interesting issue. Now I gotta go back to my test ISP and see how this is configured...

As far as a test platform - you should be able to put up an *BSD or Linux box together pretty easily on an old junk machine. Tweak settings and modules to match your ISP and then vary to test different configurations.

rickb

 

Safe Mode in PHP has always been a real bugger. And apparently it's been removed as of PHP 6.0. Take a look: http://us2.php.net/features.safe-mode

 

yea, lots of people have been having problems with it.

 

This is not something I want to do, it is an effort to find a way to make some PHP scripts usable even by those poor souls with no cgi wrapper available and yet Safe Mode locked on by their hosts. (Hosts that set Safe mode on do not normally allow users to change that setting with an ini_set.)

I may be able to get some definite answers by experimentation. My local ISP, whom I have been using only for dialup connects and sending mail, gives users some picayune amount of web space. I have asked for a setup--they use Apache and, if I can believe their "tech", do not use cgi wrappers; he says they have Safe Mode Off, but usually if it is Off by default the user can set it On (the reverse of the case when it defaults to On).

Regrettably, the setup will not be ready till tomorrow, so I have to sit and chew my fingernails for another day before I can actually experiment.