admin

Hi all,

I'm running a Plesk 8.3 mass hosting server equipped with PHP 5.1.6 on
CentOS 5, and I'm facing the problem of PHP "Safe mode" barfing at the
UID mismatch of PHP scripts uploaded by user's FTP UID, and later
executed by Apache UID, where user's PHP scripts thusly uploaded attempt
to write any files while doing their job.

Is there an educated solution? What if I relax safe mode checks to gid
(safe_mode_gid=On), and given that GID is psacln for every Plesk-hosted
customer, with only UIDs being different, is there any risk that folks
operating on their own chmod 660 files will be able to overwrite other
people's chmod 660 files? Or will open_basedir be enough to prevent
unwanted PHP level file access while relaxing safe mode uid check at the
same time? (by default, it is properly set by Plesk in
%mysite%/conf/httpd.include) ?

BTW, safe_mode_exec_dir is empty by default, does it mean if I do set
safe_mode_gid then users will be able to exec other Plesk users' cgi-bin
scripts etc. because of GIDs being equal??

Safe mode has _got_ to be there for some good reason.

Thanks in advance for any tips.

lonewolf

You could try having apache run as the UID of the user. With a few modifications to apache site config and you should be golden!

HTH,
Wolf

-----Original Message-----
From: admin <admin@azuni.net>
Sent: Sunday, May 11, 2008 1:06 AM
To: php-general@lists.php.net
Subject: [php] Safe mode story

Hi all,

I'm running a Plesk 8.3 mass hosting server equipped with PHP 5.1.6 on
CentOS 5, and I'm facing the problem of PHP "Safe mode" barfing at the
UID mismatch of PHP scripts uploaded by user's FTP UID, and later
executed by Apache UID, where user's PHP scripts thusly uploaded attempt
to write any files while doing their job.

Is there an educated solution? What if I relax safe mode checks to gid
(safe_mode_gid=On), and given that GID is psacln for every Plesk-hosted
customer, with only UIDs being different, is there any risk that folks
operating on their own chmod 660 files will be able to overwrite other
people's chmod 660 files? Or will open_basedir be enough to prevent
unwanted PHP level file access while relaxing safe mode uid check at the
same time? (by default, it is properly set by Plesk in
%mysite%/conf/httpd.include) ?

BTW, safe_mode_exec_dir is empty by default, does it mean if I do set
safe_mode_gid then users will be able to exec other Plesk users' cgi-bin
scripts etc. because of GIDs being equal??

Safe mode has _got_ to be there for some good reason.

Thanks in advance for any tips.

--


[The entire original message is not included]

philthathril

Read on about PHP6.... <http://www.ibm.com/developerworks/op...xw01PHP-Future


Scroll down to where the title is "Things removed" - notice that
'safe_mode' is listed. It may have been put in originally for a good
reason, but since then deprecated.

HTH,

~Philip