Re: [PHP-DEV] ENFORCE_SAFE_MODE From: Andi Gutmans (andi <email protected>)
Date: 08/30/00

At 01:25 PM 8/30/00 -0700, Rasmus Lerdorf wrote:
> > At 01:06 PM 8/30/00 -0700, Rasmus Lerdorf wrote:
> > > > I am getting rid of it and am only checking PG(safe_mode) in
> > > > fopen-wrappers.c. This should make the safe_mode much much safer
> from now
> > > > on (at least the code that uses the php_fopen_wrappers()). I have
> heard in
> > > > the past that some extension modules might want to open some system
> fonts
> > > > and stuff so you wouldn't want to enable safe mode for those
> modules but I
> > > > think it's a bad explanation. You could probably use those
> extensions to
> > > > open /etc/passwd and maybe even get some kind of info back by chance.
> > > > If anyone thinks I'll break something badly scream now!
> > >
> > >Whether it is a bad explanation or not, you will break the GD extension as
> > >I explained before.
> >
> > Well what do you suggest instead? Why not chown() the GD files over to
> > nobody if they should be used with the web site?
>
>?? How does that solve anything? There is nothing special about the
>nobody user. Safe mode would still reject the file access.

I guess I missed something then. I thought that you can open files which
have the same uid as the web server in safe_mode.

>What is really required is a safemode file path of directories that are
>excluded from the safe mode check. Then admins can put font paths,
>temporary upload dirs, etc. on that path.
>
> > How do you know that the modules which don't have ENABLE_SAFE_MODE enabled
> > don't give you any way to see the raw data in the files? And it also seems
> > as if there were wholes with this in php_fopen_wrappers() under certain
> > circumstances (where include_path wasn't defined).
>
>I have never said there weren't holes. There are plenty. That's why just
>arbitrarily changing this one thing without providing a different way to
>achieve the same thing makes no sense to me.

Well there's not much to say except "it sucks very very badly right now". I
will concentrate right now on cleaning up the code without changing the
semantics and maybe then it'll be easier to see what needs to be changed.

>For example, what is the difference between ignoring safe mode on a file
>open from a specific PHP function and calling a lower level third-party
>api function which opens a file. We do the latter in dozens of places
>already.

Yep and I want to try and fix this as much as possible.

Andi 

---
Andi Gutmans <andi <email protected>>
http://www.zend.com/

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>