safe_mode and inclusion of files don"t work as documented

Hi,
I'm testing one of my sites in safe_mode, but I'm experiencing some
strangeness that is not documented.

The settings are:
in php.ini:
include_path =
".:/server/home/apache/php4/:/var/php/5.2/pear/:/usr/php/lib /ezcomponents-2008.2.2/"

in the virtualhost config:
php_admin_value safe_mode On
php_admin_value safe_mode_include_dir
"/server/home/nsabbi:/server/home/apache/php4:.:.."

The files belong entirely to apache:apache, the user who is running apache.
The problem is:


*Fatal error*: require_once() [function.require
]: Failed opening required
'../include.php'
(include_path='.:..:/server/home/apache/php4/:/var/php/5.2/p ear/:/usr/php/lib/ezcomponents-2008.2.2/')
in */server/home/nsabbi/nb4/login/index.php* on line *3

How is it that i can't include files in .. ????
btw, can I redefine the include_path in safe mode?

Thanks,
Nico
*

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: safe_mode and inclusion of files don"t work as documented

add this
php_admin_value open_basedir


2009/8/28 Nico Sabbi :
> Hi,
> I'm testing one of my sites in safe_mode, but I'm experiencing some
> strangeness that is not documented.
>
> The settings are:
> in php.ini:
> include_path =3D
> ".:/server/home/apache/php4/:/var/php/5.2/pear/:/usr/php/lib /ezcomponents=
-2008.2.2/"
>
> in the virtualhost config:
> =A0 =A0 =A0 =A0php_admin_value safe_mode On
> =A0 =A0 =A0 =A0php_admin_value safe_mode_include_dir
> "/server/home/nsabbi:/server/home/apache/php4:.:.."
>
> The files belong entirely to apache:apache, the user who is running apach=
e.
> The problem is:
>
>
> *Fatal error*: require_once() [function.require
> ]: Failed opening required
> '../include.php'
> (include_path=3D'.:..:/server/home/apache/php4/:/var/php/5.2 /pear/:/usr/p=
hp/lib/ezcomponents-2008.2.2/')
> in */server/home/nsabbi/nb4/login/index.php* on line *3
>
> How is it that i can't include files in .. ????
> btw, can I redefine the include_path in safe mode?
>
> Thanks,
> =A0Nico
> *
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: safe_mode and inclusion of files don"t work as documented

hack988 hack988 ha scritto:
> add this
> php_admin_value open_basedir
>
>

done, but it doesn't make a difference:
php_admin_value open_basedir
"/server/home/nsabbi:/server/home/apache/php4:.:.."

*Fatal error*: require_once() [function.require
]: Failed opening required
'../include.php'
(include_path='.:/server/home/apache/php4/:/var/php/5.2/pear /:/usr/php/lib/ezcomponents-2008.2.2/')
in */server/home/nsabbi/nb4/login/index.php* on line *3


and the same with
*php_admin_value open_basedir none

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: safe_mode and inclusion of files don"t work as documented

2009/8/28 Nico Sabbi :
> Hi,
> I'm testing one of my sites in safe_mode, but I'm experiencing some
> strangeness that is not documented.
>
> The settings are:
> in php.ini:
> include_path =3D
> ".:/server/home/apache/php4/:/var/php/5.2/pear/:/usr/php/lib /ezcomponents=
-2008.2.2/"
>
> in the virtualhost config:
> =A0 =A0 =A0 =A0php_admin_value safe_mode On
> =A0 =A0 =A0 =A0php_admin_value safe_mode_include_dir
> "/server/home/nsabbi:/server/home/apache/php4:.:.."
>
> The files belong entirely to apache:apache, the user who is running apach=
e.
> The problem is:
>
>
> *Fatal error*: require_once() [function.require
> ]: Failed opening required
> '../include.php'
> (include_path=3D'.:..:/server/home/apache/php4/:/var/php/5.2 /pear/:/usr/p=
hp/lib/ezcomponents-2008.2.2/')
> in */server/home/nsabbi/nb4/login/index.php* on line *3
>
> How is it that i can't include files in .. ????

Hi Nico,

First the obligatory "safe_mode is deprecated and not recommended"
speech. . .but I guess you've already seen that in the docs and
decided to use it anyway.

What does the script do if you turn off safe_mode?

> btw, can I redefine the include_path in safe mode?

Yes.

> Thanks,
> =A0Nico


Regards,

Torben

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: safe_mode and inclusion of files don"t work as documented

Lars Torben Wilson ha scritto:
> Hi Nico,
>
> First the obligatory "safe_mode is deprecated and not recommended"
> speech. . .but I guess you've already seen that in the docs and
> decided to use it anyway.
>

I read it, but I don't know if I have to interpret it as "php6 wil only
work in safe mode" or "safe_mode is a bad idea" ;-)

> What does the script do if you turn off safe_mode?
>

it works perfectly

>
>> btw, can I redefine the include_path in safe mode?
>>
>
> Yes.
>
>

Good to know!

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: safe_mode and inclusion of files don"t work as documented

Lars Torben Wilson ha scritto:
> 2009/8/28 Nico Sabbi :
>
>> Hi,
>> I'm testing one of my sites in safe_mode, but I'm experiencing some
>> strangeness that is not documented.
>>
>> The settings are:
>> in php.ini:
>> include_path =
>> ".:/server/home/apache/php4/:/var/php/5.2/pear/:/usr/php/lib /ezcomponents-2008.2.2/"
>>
>> in the virtualhost config:
>> php_admin_value safe_mode On
>> php_admin_value safe_mode_include_dir
>> "/server/home/nsabbi:/server/home/apache/php4:.:.."
>>
>> The files belong entirely to apache:apache, the user who is running apache.
>> The problem is:
>>
>>
>> *Fatal error*: require_once() [function.require
>> ]: Failed opening required
>> '../include.php'
>> (include_path='.:..:/server/home/apache/php4/:/var/php/5.2/p ear/:/usr/php/lib/ezcomponents-2008.2.2/')
>> in */server/home/nsabbi/nb4/login/index.php* on line *3
>>
>> How is it that i can't include files in .. ????
>>
>
> Hi Nico,
>
> First the obligatory "safe_mode is deprecated and not recommended"
> speech. . .but I guess you've already seen that in the docs and
> decided to use it anyway.
>
> What does the script do if you turn off safe_mode?
>
>
>> btw, can I redefine the include_path in safe mode?
>>
>
> Yes.
>
>
>> Thanks,
>> Nico
>>
>
>
> Regards,
>
> Torben
>

one more clue, hopefully; the OS is OpenSolaris.

apache@sviluppo2: /server/home/nsabbi/nb4 $ ps -ef|grep httpd
apache 26840 25190 0 12:54:05 ? 0:09
/usr/apache2/2.2/bin/httpd -k start
apache 26842 25190 0 12:58:09 ? 0:21
/usr/apache2/2.2/bin/httpd -k start
root 25190 1 0 Aug 28 ? 2:27
/usr/apache2/2.2/bin/httpd -k start
apache 25191 25190 0 Aug 28 ? 0:00
/usr/apache2/2.2/bin/httpd -k start
apache 26844 25190 0 13:00:54 ? 0:21
/usr/apache2/2.2/bin/httpd -k start
apache 26864 25190 0 13:05:37 ? 0:01
/usr/apache2/2.2/bin/httpd -k start
apache 26890 26872 0 13:11:25 pts/1 0:00 grep httpd
apache 26865 25190 0 13:07:24 ? 0:01
/usr/apache2/2.2/bin/httpd -k start
apache 26821 25190 0 12:51:08 ? 0:24
/usr/apache2/2.2/bin/httpd -k start
apache 26845 25190 0 13:01:44 ? 0:02
/usr/apache2/2.2/bin/httpd -k start
apache 26789 25190 0 12:37:25 ? 0:27
/usr/apache2/2.2/bin/httpd -k start
apache 26863 25190 0 13:04:18 ? 0:01
/usr/apache2/2.2/bin/httpd -k start
apache 26846 25190 0 13:01:45 ? 0:11
/usr/apache2/2.2/bin/httpd -k start


*Warning*: require_once() [function.require-once
]: SAFE MODE Restriction in
effect. The script whose uid is 1 is not allowed to access
.../include.php owned by uid 48 in
*/server/home/nsabbi/nb4/login/index.php* on line *3*

*Warning*: require_once(../include.php) [function.require-once
]: failed to open stream: No
such file or directory in */server/home/nsabbi/nb4/login/index.php* on
line *3*

*Fatal error*: require_once() [function.require
]: Failed opening required
'../include.php'
(include_path='.:/server/home/apache/php4/:/var/php/5.2/pear /') in
*/server/home/nsabbi/nb4/login/index.php* on line *3*



why is php using uid 1?? It's as if the parent httpd were serving the
page itself, or not?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: safe_mode and inclusion of files don"t work as documented

Please create a file(.php) and write follow codes for more details.
==================== =====3D=
===3D
phpinfo();
?>
==================== =====3D=
===3D

2009/8/31 Nico Sabbi :
> Lars Torben Wilson ha scritto:
>> 2009/8/28 Nico Sabbi :
>>
>>> Hi,
>>> I'm testing one of my sites in safe_mode, but I'm experiencing some
>>> strangeness that is not documented.
>>>
>>> The settings are:
>>> in php.ini:
>>> include_path =3D
>>> ".:/server/home/apache/php4/:/var/php/5.2/pear/:/usr/php/lib /ezcomponen=
ts-2008.2.2/"
>>>
>>> in the virtualhost config:
>>> =A0 =A0 =A0 =A0php_admin_value safe_mode On
>>> =A0 =A0 =A0 =A0php_admin_value safe_mode_include_dir
>>> "/server/home/nsabbi:/server/home/apache/php4:.:.."
>>>
>>> The files belong entirely to apache:apache, the user who is running apa=
che.
>>> The problem is:
>>>
>>>
>>> *Fatal error*: require_once() [function.require
>>> ]: Failed opening required
>>> '../include.php'
>>> (include_path=3D'.:..:/server/home/apache/php4/:/var/php/5.2 /pear/:/usr=
/php/lib/ezcomponents-2008.2.2/')
>>> in */server/home/nsabbi/nb4/login/index.php* on line *3
>>>
>>> How is it that i can't include files in .. ????
>>>
>>
>> Hi Nico,
>>
>> First the obligatory "safe_mode is deprecated and not recommended"
>> speech. . .but I guess you've already seen that in the docs and
>> decided to use it anyway.
>>
>> What does the script do if you turn off safe_mode?
>>
>>
>>> btw, can I redefine the include_path in safe mode?
>>>
>>
>> Yes.
>>
>>
>>> Thanks,
>>> =A0Nico
>>>
>>
>>
>> Regards,
>>
>> Torben
>>
>
> one more clue, hopefully; the OS is OpenSolaris.
>
> apache@sviluppo2: /server/home/nsabbi/nb4 $ ps -ef|grep httpd
> =A0apache 26840 25190 =A0 0 12:54:05 ? =A0 =A0 =A0 =A0 =A0 0:09
> /usr/apache2/2.2/bin/httpd -k start
> =A0apache 26842 25190 =A0 0 12:58:09 ? =A0 =A0 =A0 =A0 =A0 0:21
> /usr/apache2/2.2/bin/httpd -k start
> =A0 =A0root 25190 =A0 =A0 1 =A0 0 =A0 Aug 28 ? =A0 =A0 =A0 =A0 =A0 2:27
> /usr/apache2/2.2/bin/httpd -k start
> =A0apache 25191 25190 =A0 0 =A0 Aug 28 ? =A0 =A0 =A0 =A0 =A0 0:00
> /usr/apache2/2.2/bin/httpd -k start
> =A0apache 26844 25190 =A0 0 13:00:54 ? =A0 =A0 =A0 =A0 =A0 0:21
> /usr/apache2/2.2/bin/httpd -k start
> =A0apache 26864 25190 =A0 0 13:05:37 ? =A0 =A0 =A0 =A0 =A0 0:01
> /usr/apache2/2.2/bin/httpd -k start
> =A0apache 26890 26872 =A0 0 13:11:25 pts/1 =A0 =A0 =A0 0:00 grep httpd
> =A0apache 26865 25190 =A0 0 13:07:24 ? =A0 =A0 =A0 =A0 =A0 0:01
> /usr/apache2/2.2/bin/httpd -k start
> =A0apache 26821 25190 =A0 0 12:51:08 ? =A0 =A0 =A0 =A0 =A0 0:24
> /usr/apache2/2.2/bin/httpd -k start
> =A0apache 26845 25190 =A0 0 13:01:44 ? =A0 =A0 =A0 =A0 =A0 0:02
> /usr/apache2/2.2/bin/httpd -k start
> =A0apache 26789 25190 =A0 0 12:37:25 ? =A0 =A0 =A0 =A0 =A0 0:27
> /usr/apache2/2.2/bin/httpd -k start
> =A0apache 26863 25190 =A0 0 13:04:18 ? =A0 =A0 =A0 =A0 =A0 0:01
> /usr/apache2/2.2/bin/httpd -k start
> =A0apache 26846 25190 =A0 0 13:01:45 ? =A0 =A0 =A0 =A0 =A0 0:11
> /usr/apache2/2.2/bin/httpd -k start
>
>
> *Warning*: require_once() [function.require-once
> ]: SAFE MODE Restriction in
> effect. The script whose uid is 1 is not allowed to access
> ../include.php owned by uid 48 in
> */server/home/nsabbi/nb4/login/index.php* on line *3*
>
> *Warning*: require_once(../include.php) [function.require-once
> ]: failed to open stream: No
> such file or directory in */server/home/nsabbi/nb4/login/index.php* on
> line *3*
>
> *Fatal error*: require_once() [function.require
> ]: Failed opening required
> '../include.php'
> (include_path=3D'.:/server/home/apache/php4/:/var/php/5.2/pe ar/') in
> */server/home/nsabbi/nb4/login/index.php* on line *3*
>
>
>
> why is php using uid 1?? It's as if the parent httpd were serving the
> page itself, or not?
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: safe_mode and inclusion of files don"t work as documented

2009/8/31 Nico Sabbi :
> Lars Torben Wilson ha scritto:
>> Hi Nico,
>>
>> First the obligatory "safe_mode is deprecated and not recommended"
>> speech. . .but I guess you've already seen that in the docs and
>> decided to use it anyway.
>>
>
> I read it, but I don't know if I have to interpret it as "php6 wil only
> work in safe mode" or "safe_mode is a bad idea" ;-)

Safe mode is a bad idea. :) It's not safe; it may only have the effect
of making you think you're safe. If you have a particular reason to
use it then maybe it's OK, but just be aware that it will not exist in
future versions of PHP and relying on it is not a good idea. Security,
unfortunately, is not as simple as toggling a configuration variable.

>> What does the script do if you turn off safe_mode?
>>
>
> it works perfectly

Can you post a simple script which demonstrates your problem (the
whole script, hopefully as short as you can make it) but which works
fine with safe_mode off? Also it would be helpful if you can include
the output of phpinfo() both with safe_mode on and with safe_mode off.


Regards,

Torben

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: safe_mode and inclusion of files don"t work as documented

> Safe mode is a bad idea. :) It's not safe; it may only have the effect
> of making you think you're safe. If you have a particular reason to
> use it then maybe it's OK, but just be aware that it will not exist in
> future versions of PHP and relying on it is not a good idea. Security,
> unfortunately, is not as simple as toggling a configuration variable.

Yes -- and I always look askance at shared-hosting providers who rely
on safe_mode and call it a security measure. Then when I'm done
looking askance, I take my business elsewhere.

Ben

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php