sh: /cat: no such file or directory

Anon

Hi all.

I get the error:

sh: /cat: no such file or directory
in my apache error log when I try following script:

<?php
system ("/bin/cat /etc/passwd",$rc);
?>

If I do a link from "/cat" to "/bin/cat" everthing works - probably my apache config file or my php setup is wrong. Any ideas ?

Thansk a lot

Ciao
CArsten

brandonschnell

1) what happens when you try the same command when you're logged on as the same user as apache? or under your normal username?

2) verify the location of the cat program.

kparker

If your path is setup properly, it should find cat on the path without any explicit path:

system("cat ....");

Anon

Thanks, I found the problem:

php.ini: safe_mode = On

After I changed it to Off, PHP found the "cat"-command.

But I'm wondering: do I understand it right that I'm not able to use external commands if "safe_mode = On" is set ?

kparker

It's not quite that strict. In php.ini file (quoting from the manual):

  safe_mode_exec_dir string

  If PHP is used in safe mode, system() and the other functions
  executing system programs refuse to start programs that
  are not in this directory.

The whole point is to give you control over what is allowed. You are free to specifiy /bin as the safe_mode directory, though lots of the benefits of same mode may go away if you do that. A safer course would be to create a private directory and link just those executable that (1) you actually are using and (2) you have reviewed in regard to security aspects.

[deleted]

Small side note: if you happen to be on a shared server, if you can do something in PHP, so can every other user of that machine.
So if you can read the passwd in PHP and send it somewhere, so can people with less good intentions....