PHP
Tuesday, July 24, 2001  
downloads | documentation | faq | support | reporting bugs | links 

search for in the  


previousPersistent Database Connections
Function Referencenext

Last updated: Mon, 23 Jul 2001
view this page in English | Czech | Dutch | German | Italian | Japanese | Plain HTML

Chapter 23. Safe mode

Safe Mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now.

The configuration directives that control safe mode are:

safe_mode = Off 
open_basedir = 
safe_mode_exec_dir = 
safe_mode_allowed_env_vars = PHP_ 
safe_mode_protected_env_vars = LD_LIBRARY_PATH 
disable_functions = 
   

When safe_mode is on, PHP checks to see if the owner of the current script matches the owner of the file to be operated on by a file function. For example:

-rw-rw-r--    1 rasmus   rasmus       33 Jul  1 19:20 script.php 
-rw-r--r--    1 root     root       1116 May 26 18:01 /etc/passwd 
   
Running this script.php

<?php
 readfile('/etc/passwd'); 
?>  
   
results in this error when safe mode is enabled:

Warning: SAFE MODE Restriction in effect. The script whose uid is 500 is not 
allowed to access /etc/passwd owned by uid 0 in /docroot/script.php on line 2
   

If instead of safe_mode, you set an open_basedir directory then all file operations will be limited to files under the specified directory. For example (Apache httpd.conf example):

<Directory /docroot> 
php_admin_value open_basedir /docroot 
</Directory>  
   
If you run the same script.php with this open_basedir setting then this is the result:

Warning: open_basedir restriction in effect. File is in wrong directory in 
/docroot/script.php on line 2 
   

You can also disable individual functions. If we add this to our php.ini file:

disable_functions readfile,system  
   
Then we get this output:

Warning: readfile() has been disabled for security reasons in 
/docroot/script.php on line 2 
   

Functions restricted/disabled by safe-mode

This is a still probably incomplete and possibly incorrect listing of the functions limited by safe-mode.

Table 23-1. Safe-mode limited functions

FunctionLimitations
dbmopen()Checks whether the file(s)/directories you are about to operate on, have the same UID as the script that is being executed.
dbase_open()Checks whether the file(s)/directories you are about to operate on, have the same UID as the script that is being executed.
filepro()Checks whether the file(s)/directories you are about to operate on, have the same UID as the script that is being executed.
filepro_rowcount()Checks whether the file(s)/directories you are about to operate on, have the same UID as the script that is being executed.
filepro_retrieve()Checks whether the file(s)/directories you are about to operate on, have the same UID as the script that is being executed.
imap_thread()??
ifxus_tell_slob()??
muscat_close()??
pg_loimport()Checks whether the file(s)/directories you are about to operate on, have the same UID as the script that is being executed.
posix_mkfifo()Checks whether the directory in which you are about to operate, has the same UID as the script that is being executed.
putenv()??
move_uploaded_file()Checks whether the file(s)/directories you are about to operate on, have the same UID as the script that is being executed.
chdir()Checks whether the directory in which you are about to operate, has the same UID as the script that is being executed.
dl()??
shell_exec()??
popen()Checks whether the directory in which you are about to operate, has the same UID as the script that is being executed.
mkdir()Checks whether the directory in which you are about to operate, has the same UID as the script that is being executed.
rmdir()Checks whether the file(s)/directories you are about to operate on, have the same UID as the script that is being executed.
rename()Checks whether the file(s)/directories you are about to operate on, have the same UID as the script that is being executed.
unlink()Checks whether the file(s)/directories you are about to operate on, have the same UID as the script that is being executed.
copy()Checks whether the file(s)/directories you are about to operate on, have the same UID as the script that is being executed.
chgrp()Checks whether the file(s)/directories you are about to operate on, have the same UID as the script that is being executed.
chown()Checks whether the file(s)/directories you are about to operate on, have the same UID as the script that is being executed.
chmod()Checks whether the file(s)/directories you are about to operate on, have the same UID as the script that is being executed.
touch()Checks whether the file(s)/directories you are about to operate on, have the same UID as the script that is being executed.
symlink()Checks whether the file(s)/directories you are about to operate on, have the same UID as the script that is being executed.
link()Checks whether the file(s)/directories you are about to operate on, have the same UID as the script that is being executed.
ob_gzhandler()Checks whether the file(s)/directories you are about to operate on, have the same UID as the script that is being executed.
getallheaders()??
exec()??
system()??
passthru()??
mail()??
backtick operator??
Any function that uses php4/main/fopen_wrappers.c ??

User Contributed Notes
Safe mode
add a note about notes
philip@cornado.c()m
13-Jul-2001 11:43

Safe mode section in php2 manual :
http://www.php.net/manual/phpfi2.php#safemode

Marc Delisle
16-Jul-2001 03:49

include() and require() are also limited by safe mode.
add a note about notes


previousPersistent Database Connections
Function Referencenext

Last updated: Mon, 23 Jul 2001

show source | credits | stats | mirror sites:  

Copyright © 2001 The PHP Group
All rights reserved.
This mirror generously provided by: chek.com
Last updated: Tue Jul 24 17:12:50 2001 EDT