Re: [PHP-DEV] patch - adds new setting safe_mode_hide_env_vars From: Jason Greene (jason <email protected>)
Date: 10/21/00

> Changing TSRM to have the ability to prepend a directory is simple. It is
> probably one of the stronger ways to really enforce a chrooted enviromnent.
> But it does mean that PHP would be in a complete virtual root and I am not
> quite sure just how much it would effect all the different parts of PHP.

I can think of two main issues with this, some that I encountered with
the chroot hack I wrote(modified fopen_wrappers).

a) initial script request is a fully qualified path
   zend calls fopen_wrappers with the full path the has already
translated
   the way I got around this was to strncmp the chrooted path with the
full path.
   If this worked, then it left it alone - I did not feel completely
happy with this but I could not think of a better method.
b) php.ini file - configuration-parser.c calls php_fopen_with_path
   my solution was to only translate filenames beginning with /

> So the idea is that you would add in php.ini where your PHP virtual hosts
> are kept, for example, /php_users/ and the directory functions would use
> the virtual hostname (SERVER_NAME) to index it? Actually I'm not sure what
> exactly would be right to use.
Yes that's what I was thinking,

  The hack I am currently using in php does this by subtracting
SCRIPT_URL from SCRIPT_FILENAME and I mod_vhost_alias allows me to
define this . I suggested the ini value, because I was thinking about
compatibility with other webservers. I was thinking that using HTTP_HOST
or SERVER_NAME would work as long as its not pulling
ServerName from the config file(this would require separate virtualhost
directives). If this was the way to do it, I do think that there should
be a function to parse a pathname to allow the admin to choose the
indexing method.
(%1.1/%1.2/%0) becomes effective in preventing filesystem slowdowns due
to to many directories within a directory.

> Actually I'm not sure what exactly would be right to use.
In a shared environment the host request has to be the differentiator
whether it's a namebased or ip based environment. Some testing would
have to be made to find out if all webservers set HTTP_HOST and
SERVER_NAME correctly, but I am pretty sure they do.

-Jason 

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>